Cannot get password_verify to work (PHP, MYSQL)

Question

I've set up password_hash in my registration script. Can't figure out how to use password_verify correctly to log into my website.

Screenshot of DB: https://i.stack.imgur.com/j8xqm.png

Login Code (says "incorrect login, even when the password is correct):

<?php  
    require 'db_connect.php';

    if (isset($_POST['username']) and isset($_POST['password'])){

        $username = $_POST['username'];
        $password = $_POST['password'];

        $query = "SELECT * FROM `member` WHERE username='$username'";

        $result = mysqli_query($connection, $query) or die(mysqli_error($connection));
        $count = mysqli_num_rows($result);

        if (password_verify($_POST['password'],$hashword))
        {
             echo "Correct login";
        }
            else
        {
            echo "incorrect login";
        }
    }
?>

Registration Code(Works great, no issues with DB connection either):

<?php
    require 'db_connect.php';

    $email = $_POST['email'];
    $username = $_POST['username'];
    $password1 = $_POST['password1'];
    $password2 = $_POST['password2'];

    if($password1 != $password2)
        header('Location: registration.html');
    if(strlen($username) > 25)
        header('Location: registration.html');

    $hashword = password_hash($password,PASSWORD_DEFAULT);

    $query = "INSERT INTO member ( username, password, email)
    VALUES ( '$username', '$hashword', '$email');";

    $result = mysqli_query($connection, $query) or die(mysqli_error($connection));
    mysql_close();

    header('Location: login.html');
?>

Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — John Conde, Jan 01 '18 at 19:30
where does `$hashword` come from? can't see it in your login code other than inside password_verify. You are not fetching any data from your query just counting number of rows — Matt, Jan 01 '18 at 19:30
@Matt Lines 14 - 17 in the registration php file $hashword = password_hash($password,PASSWORD_DEFAULT); $query = "INSERT INTO member ( username, password, email) VALUES ( '$username', '$hashword', '$email');"; — , Jan 01 '18 at 19:35
@zgrav there are no line numbers so can only guess however... `$result = mysqli_query($connection, $query) or die(mysqli_error($connection));` ... `$count = mysqli_num_rows($result);` ... `if (password_verify($_POST['password'],$hashword))` between the query and the verify, you do not set `$hashword` anywhere — Matt, Jan 01 '18 at 19:36
@zgrav $hashword is not available in login.php though, you need to fetch the data from the database and use it — JimL, Jan 01 '18 at 19:37
I've added $hasword = $result['password']; Just underneath $count = mysqli_num_rows($result); And get another error: https://i.imgur.com/F5XH8IX.png — , Jan 01 '18 at 19:39
errror reporting would have helped you here as well as error handling on the query. There are methods for you to find and use on php.net's website. — Funk Forty Niner, Jan 02 '18 at 01:34
note: you're mixing mysql apis here `mysql_close();` you can't do that. — Funk Forty Niner, Jan 02 '18 at 01:35
@zgrav please don't vandalise your question. The moderators will get involved if you continue. — Robert Longson, Jan 06 '18 at 10:56

RamC · Accepted Answer · 2018-01-01T20:48:44.057

1

From your code, it looks like you are not checking the $_POST['password'] with the correct hashword which was inserted into the database.

The variable $hashword will have nothing and hence password_verify fails.

Fetch the value of password which was stored in the database and store it in $hashword variable then use it in the password_verify function for it to work as intended.

Example

$row = mysqli_fetch_assoc($result);
$hashword =  $row['password'];

Usage

$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);

$row = mysqli_fetch_assoc($result);
$hashword =  $row['password'];

if (password_verify($_POST['password'],$hashword))
{
     echo "Correct login";
}
    else
{
    echo "incorrect login";
}

edited Jan 01 '18 at 20:48

answered Jan 01 '18 at 19:38

RamC

1,287
1
11
15

I've added $hasword = $result['password']; Just under $count = mysqli_num_rows($result); However now I'm getting a different error: https://i.imgur.com/F5XH8IX.png – Jan 01 '18 at 19:44
you cannot use the response of `mysqli_query` query directly to fetch the record. Please refer my answer on how to fetch the password from the `$result` variable – RamC Jan 01 '18 at 19:46
Sadly, I get the same error https://i.imgur.com/LSLdetI.png $hasword = $result['password']; is where it errors out – Jan 01 '18 at 19:53
Try adding the lines `$row = mysqli_fetch_row($result); $hashword = $row['password'];` and remove the line `$hasword = $result['password'];` – RamC Jan 01 '18 at 19:55
you did not remove the line `$hasword = $result['password'];` please remove it. Remove the line no 12. – RamC Jan 01 '18 at 20:05
My mistake! Now I'm just getting "incorrect login". And I'm 100% sure the login is correct. Tried pasting in the hashed password from the database and the original password, neither worked. – Jan 01 '18 at 20:10
You should use the original password in your form, not the hashed password. Can you show me your file ? along with the inputs ? – RamC Jan 01 '18 at 20:11
make sure $result['password'] is what you expect it is, check that the hash in the db is correct (many have had too short varchar fields which truncate the hash) – JimL Jan 01 '18 at 20:14
Sure, here's everything: https://gist.github.com/Lucas-Crosby/ced3932a734999c5bf4c61f9c8237751 – Jan 01 '18 at 20:17
@JimL the varchar limit is 120, each password is hashed to 60 characters I believe – Jan 01 '18 at 20:17
what about the input which you are providing in the form ? are you sure it is the same password which was used to generate the hashword and got inserted in the database ? – RamC Jan 01 '18 at 20:20
The code seems to be correct. Register a new user with a simple password, then use the same password to login, check and revert back if it works. – RamC Jan 01 '18 at 20:23
Same problem, sadly. I've also echod hashword to check it matches the database which it does. – Jan 01 '18 at 20:31
can you show the executed code with the output ? perhaps a screenshot with the echod values – RamC Jan 01 '18 at 20:32
Yes, it does. Change `$hashword = $row['password'];` to `$hashword = $row[2];` and check – RamC Jan 01 '18 at 20:38
@RamC although I did upvote your answer, I need to state that you didn't catch the fact that they're mixing different mysql api here, with `mysql_close();` and the sql injection holes. IMHO, the answer should be edited in order to reflect and for future users. – Funk Forty Niner Jan 02 '18 at 01:36
@FunkFortyNiner Yes, I agree, Shall edit and update the answer. – RamC Jan 02 '18 at 12:04

Cannot get password_verify to work (PHP, MYSQL)

1 Answers1