How to match a inputted password to hashed password from database?

Question

For some reasons, I don't know if I am really getting the hashed password from the database or if I am comparing it right to the inputted password. I have successfully tested my registration with the password_hash method and I am seeing the hashed password in the database.

Should I also hash the inputted password to be compared to the hashed password from the database? Or my query is just wrong? Please help!!! Thanks!

<?php
require "../connection.php";

session_start();

    if(isset($_POST['login'])) {

    $username = stripslashes($_POST['username']);
    $username = mysqli_real_escape_string($conn, $_POST['username']);
    $password = stripslashes($_POST['password']);
    $password = mysqli_real_escape_string($conn, $_POST['password']);

    $query = mysqli_query ($conn, "SELECT * FROM admin WHERE username='$username' AND password='$password'") OR DIE(mysqli_error($conn));
    $reader = mysqli_num_rows($query);

        if ($reader == 1) {
            $passwordQuery = mysqli_query ($conn, "SELECT password FROM admin WHERE username='$username' AND password='$password'") OR DIE(mysqli_error($conn));
            $row = mysqli_fetch_array($passwordQuery);
            $hashedPasswordFromDb = $row['password'];
            if (password_verify($password, $hashedPasswordFromDb)) {
                $query = mysqli_query ($conn, "SELECT id, student_number FROM admin WHERE username='$username' AND password='$password'") OR DIE(mysqli_error($conn));
                $row = mysqli_fetch_array($query);
                $id = $row['id'];
                $student_number = $row['student_number'];
                $sesData = array('id' => $id, 'student_number', $student_number);
                $_SESSION['ses_account'] = $sesData;
                mysqli_query ($conn, "UPDATE admin SET lastLogin=NOW() WHERE student_number='$student_number'");
                header("location: dashboard.php");
            } else {
                $msg="User not recognized. Please try again.";
                urlencode($msg);
                header("location: ../index.php?errmsg=$msg");
            }
        } else {
            $msg="User not recognized. Please try again.";
            urlencode($msg);
            header("location: ../index.php?errmsg=$msg");
        }
    }
?>

Answer 1

I assume you are storing hashed passwords into the database (that's good)

but here:

$query = mysqli_query ($conn, "SELECT * FROM admin WHERE username='$username' AND password='$password'") OR DIE(mysqli_error($conn));

you are fetching the user comparing a hashed password with a plain-text one. So the query will never return any row/user.

---

Here is how you should proceed to implement a very basic system for 1 registering a user and 2 check for login.

First of all use prepared statements instead of sanityzing input and then injecting strings into the query. You'll end up with safer and more readable code.

1 When you register a new user store the username and the hashed (and possibly salted) password into the db.

2 When you check for login, hash/elaborate the plain text password you get as input (with the same process you implemented when performing registration) then make a single SELECT to get the user by username and finally check hashed password matches.

---

Assuming you're at least on PHP 5.5 use password_hash and password_verify to hash the password (password_hash) and check a plaintext password with a hashed one (password_verify)

Further reading here: Secure hash and salt for PHP passwords