-3

I'm trying to check if a password is correct. The password is in a database and hashed. Im sure that the connection to the database works, because other querys where no problem. So my problem is, that it allways returns $password == false, also when the password should be right.

Here my code:

  public function checkOldPwd($user_name, $pwd) {

      $query = "SELECT 'user_pwd' FROM users WHERE user_name = ?";
      $statement = ConnectionHandler::getConnection()->prepare($query);
      $statement->bind_param('s', $user_name);
      $statement->execute();
      $result = $statement->get_result();

      if(!$result) {
        throw new Exception($statement->error);
      }
      if (password_verify($pwd, $result)) {
        $password = true;
      }else{
        $password = false;
      }

      $result->close();
      return $password;
    }

I hope you can help me.

a.i.00
  • 9
  • 1
  • 7
  • 2
    You don't need quotes around the field name - you could put back ticks, but single quotes will just return the content of the quotes as the value. – Nigel Ren Dec 20 '17 at 10:27
  • 2
    where is `$user` defined and what is the value of that – Jens Dec 20 '17 at 10:28
  • 2
    no, he means `$user`, used in the line `if ($user !== false && password_verify($pwd, $result)) {`. user is not defined. – kscherrer Dec 20 '17 at 10:42
  • You're right, I don't need it. i tried without it. It seems it was'nt the only problem.. – a.i.00 Dec 20 '17 at 18:29

2 Answers2

-1

I would like to remoove this:
$user !== false &&
which is before the password_verify

halojoy
  • 225
  • 2
  • 7
-1

You forgot to fetch the first row of $result, where $useris defined.

$result = $statement->get_result();

if(!$result) {
    throw new Exception($statement->error);
}

$user = $result->fetch_array(MYSQLI_ASSOC);

if ($user !== false && password_verify($pwd, $user['pwd_column_name'])) {
    $password = true;
}else{
    $password = false;
}
kscherrer
  • 5,486
  • 2
  • 19
  • 59