1

ok so ive got password_hash working on one of my pages.

I'm wondering how would i apply password_verify to the following code:

function selectUser($conn, $username, $password) {

$query = "SELECT username, password FROM login WHERE password = :password AND username = :username";

$stmt = $conn->prepare($query);
$stmt->bindValue(':username', $username);
$stmt->bindValue(':password', $password);
$stmt->execute();


if ($row = $stmt->fetch()) {
    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;
    echo "Welcome, you are now logged in as " . $username;
    return true;
}

else {
    //echo "Your details were not found";
    return false;
}

tried it myself and its been very confusing to me.

thank you

also got this:

if(!isset($_POST["Login"]))
{
    header("Location:new-user.php");
}


$username=trim($_POST['username']);
$password=$_POST['password'];

$username= htmlspecialchars($username);
$validForm = true;

if (empty($_POST["username"]))
            {
            $validForm=false;
            }
if (empty($_POST["password"]))  
            {
            $validForm=false;
            }
if (!$validForm) {

$error = "please ensure all fields are filled in";
include("add.php");
return false;

}           
        

$conn=getConn();
$successLogin=selectUser($conn,$username,$password);
if($successLogin)
{
       header( "Location: search.php" );
}else{
       $error = "The details you have entered are incorrect";
      include("add.php"); 
}

$conn=NULL; //close the connection

Update

also tried this: Knowing this doesnt work, tested with echo statements but still no luck

function hash_input() {

$password = "sfafgsd";

return $password = password_hash($_POST['password'], PASSWORD_BCRYPT);
}



function selectUser($conn, $username, $password)
{
    $query = "SELECT password FROM login WHERE username = :username"; 
    $stmt = $conn->prepare($query);
    $stmt->bindValue(':username', $username);
    $stmt->execute();
echo $username . " " . $password;
    if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
    {
        echo "WE MADE IT"; 
        if(password_verify(hash_input($password), $row['password'])){  
            $_SESSION['username'] = $username;
            echo "Welcome, you are now logged in as " . $username; 
            return true;
        }

        //echo "Your details were not found";
        sleep(1); 
        return false; 
    }
    else
    {
        //echo "Your details were not found";
        return false;
    }
}
Community
  • 1
  • 1
James Green
  • 29
  • 8
  • 2
    You'd retrieve the login record based purely on username, then use password_verify to compare the plaintext password entered by the user with the hash retrieved from the login record – Mark Baker Dec 08 '17 at 15:48
  • how do i compare it against what the user enters? – James Green Dec 08 '17 at 15:55
  • Start by changing your database query: `$query = "SELECT username, password FROM login WHERE username = :username"; You don't know the value stored in the database for password, so you can't use it to retrieve the correct row ` – Mark Baker Dec 08 '17 at 15:59
  • 2
    Then when you've fetched the $row, you can test using password_verify(): `if (password_verify($password, $row['password']))` – Mark Baker Dec 08 '17 at 16:01
  • given it a go but no luck. keeps bringing back false – James Green Dec 08 '17 at 22:56
  • Check your PHP error log; you have a `return false` statement but you're not seeming to be iside a function. tbh your code looks an utter nest of errors. Fundamentally if you can;t find your PHP errors as I have referenced to you in my other comments, then you need to `display` your PHP errors and you can do that also from the links in my comments on my own answer. There are a multitude of small errors here, the easiest way to solve them is to read the error log. Understand the error log. And fix the errors one at a time. Good luck – Martin Dec 09 '17 at 21:58

1 Answers1

2

The comments given by Mark cover the below exactly.

Order of events:

  • Send username to database and collect the hashed password from the row found.
  • run the password string given through password_verify to compare with the hashed value
  • return this result (true/false).
  • Celebrate. Have a coffeee or a tea.

There is no need to $_SESSION password data and this is a bad idea. Password data (hash or plaintext) should not be retained beyond this function call. If you do for some reason need to have a nonce value associated with this account/membership/login then this should be setup using a random string in its own column in the database.

Improved Function Code

function selectUser($conn, $username, $password)
{
    $query = "SELECT password FROM login WHERE username = :username LIMIT 1"; 
    $stmt = $conn->prepare($query);
    $stmt->bindValue(':username', $username);
 // $stmt->bindValue(':password', $password); NO Don't do this.
    $stmt->execute();

    if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
    {
        if(password_verify($password,$row['password'])){
            $_SESSION['username'] = $username;
   //       $_SESSION['password'] = $password; DO NOT DO THIS
            echo "Welcome, you are now logged in as " . $username; 
            return true;
        }
        //bad password
        //echo "Your details were not found";
        sleep(1); // it can be a good idea to add a forced pause on
                  // password fail to discourage brute force cracking. 
        return false; 
    }
    //echo "Your details were not found";
    return false;
}
Martin
  • 22,212
  • 11
  • 70
  • 132
  • that doesnt seem to work for some odd reason, keeps returning false – James Green Dec 08 '17 at 19:28
  • @JamesGreen Please update your question and at the end append the code usage of the function; use `error_log` to output the contents of your variables. Also [check your PHP error logs](https://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display) for if you have other coding errors. – Martin Dec 08 '17 at 19:41
  • checked the logs on the apache server, dont see anything – James Green Dec 08 '17 at 20:54
  • @JamesGreen there are specific PHP error logs. Typically you want to find these as they are [not in the apache logs](https://stackoverflow.com/questions/43314089/where-is-the-error-log-file). [Ths topic](https://stackoverflow.com/questions/5127838/where-does-php-store-the-error-log-php5-apache-fastcgi-cpanel?rq=1) may also help you. – Martin Dec 08 '17 at 23:30
  • Please also show the code where you call you `selectUser` function. – Martin Dec 08 '17 at 23:32