0

I am an absolute beginner and php and am in the middle of making my first login page with php and mysql. at the moment I am not worried about mysql injection as I am still learning but i will put my real escape string later on when I finalize.

I am wondering why, no matter what I put, the password keeps returning as an incorrect password. At this point I am trying to test if I can get the correct password before i start writing for sessions.

When I create a password into the database I used md5 to encrypt the passwords, I'm not sure if this makes a difference. But I feel like it could affect the verify password function. Please take a look at the code below.

I started web development about 3 weeks ago so please excuse my basic trivial messy code writing! I will probably put a lot of it into a functions php so I can refer back to functions after I get the functionality right!

I am particularly interested in why the password_verify doesnt work! it keeps returning as incorrect is it because of the messy if within ifs or a type or missuse. Please let me know your opinions :)

<?php
include 'dbconnect.php';
$emailerror = $passworderror;
if(isset($_POST['submit']))
{
    

    $email= $_POST["email"];
    $password= $_POST["password"];
  
    if (empty($email)) {
    $emailerror = "*Email must be entered";
    }

    elseif (!filter_var($email, FILTER_VALIDATE_EMAIL))
    {   
    $emailerror= "*Invalid email address Entered";    
    }
    
 // check if email exists
    else{         
        $emailquery = ("SELECT * FROM `Potential_Employee` WHERE `Email` = '$email'");
        $emailcheckresult = mysqli_query($connection, $emailquery);
        
         
            if(mysqli_num_rows($emailcheckresult) == 1){            
            $row=mysqli_fetch_assoc($emailcheckresult);
            
                 if (password_verify($password, $row['Password'])){
                     $passworderror = "*Password is correct";
                 }
                 else{
                      $passworderror = "Password is Incorrect";
                 }

                 }
            else{
                 $emailerror = "*Email does not exist";
        }
        
      }
                 
    if (empty($password)) {
    $passworderror = "*Password must be entered";
    }
    
    elseif (strlen($password) < 4 )
    {
        $passworderror= "*Password Has to be greater than 8 Characters";
    }
    
    ?>
AdrianC
  • 77
  • 6
  • OOPs sorry Guys I meant to write $emailerror = $passworderror = ''' ; on the third line but other than that still having same issue – AdrianC Dec 01 '17 at 12:12
  • 5
    *When I create a password into the database I used md5 to encrypt the passwords* - there's your issue. `password_verify` is the counterpart to `password_hash`, if any other method was used to hash then it won't verify correctly. (Minor additional points, encryption is very different from hashing. And you shouldn't be using md5 anywhere, it's utterly broken.) – iainn Dec 01 '17 at 12:13
  • @iainn Oh I see, how would the code look if I am to verify a password encrypted by md5? – AdrianC Dec 01 '17 at 12:14
  • 1
    Don't use MD5 annymore for password hashing.( http://php.net/manual/en/faq.passwords.php ) – Raymond Nijland Dec 01 '17 at 12:15
  • Can I do if (md5($password) == $row['Password']) { //Do something } – AdrianC Dec 01 '17 at 12:16
  • @RaymondNijland Thanks I'll check that link – AdrianC Dec 01 '17 at 12:17
  • 1
    You *can*, but you definitely shouldn't. Look into using the `password_hash` function to create your passwords instead, it provides a huge amount of benefits without any additional work. – iainn Dec 01 '17 at 12:17
  • `$emailquery = ("SELECT * FROM `Potential_Employee` WHERE `Email` = '$email'");` is vulnerable to SQL injection. ( https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php ) – Raymond Nijland Dec 01 '17 at 12:17
  • @iainn Will do, thanks! – AdrianC Dec 01 '17 at 12:21
  • 1
    on your register page use `$pass = password_hash($_POST['pwdField'],PASSWORD_DEFAULT)` make sure your db column length is morethan 60 chars 255 would be best – Masivuye Cokile Dec 01 '17 at 12:22
  • @MasivuyeCokile if I may ask, what does the PASSWORD_DEFAULT part mean. if password_hash is my function, and post is the user input. – AdrianC Dec 01 '17 at 12:33
  • @TomCreed follow on the manual http://php.net/manual/en/function.password-hash.php – Masivuye Cokile Dec 01 '17 at 12:35
  • 1
    Ok thanks @MasivuyeCokile. So the error in this code is because I used two different methods to verify password. And the md5 should NOT be used. but instead the password_hash function. Thanks everyone. – AdrianC Dec 01 '17 at 12:39
  • For PHP use [php Password Hashing Functions](http://php.net/manual/en/ref.password.php). When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Better yet use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `Argon2`, `password_hash`, `Bcrypt` or similar functions. The point is to make the attacker spend substantial of time finding passwords by brute force. – zaph Dec 01 '17 at 15:20

0 Answers0