Simple password verification function not working

Question

This is it:

function password_matches($username, $password){
    //precon: user_exists($username)
    $u = $GLOBALS['conn']->real_escape_string($username);
    $q = "SELECT password FROM users WHERE username = '$u'";
    $result = mysqli_query($GLOBALS['conn'], $q);
    $result2 = mysqli_fetch_field($result);
    return ($result2 == $password);
}

If you think this should work just tell me, I know my problems could be coming form somewhere else outside this function but I think that's less likely.

I'm truly a beginner like the tilte says so I welcome any type of tips thanks a lot. Like the title used to say rather, I guess an admin edited the tilte. — Nicolás Reyes, Apr 06 '18 at 15:52
You should use PHP's `password_hash` and `password_verify` functions. — Barmar, Apr 06 '18 at 15:53
Read the documentation of `mysqli_fetch_field`. It doesn't return the result of the query, it returns metadata. — Barmar, Apr 06 '18 at 15:54
`real_escape_string` please no!! use prepared statements to protect against SQL injections. read this https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Raymond Nijland, Apr 06 '18 at 15:54
Yes I think I know what debugging is thanks u_mulder. Thanks Barmar I'll read about those. — Nicolás Reyes, Apr 06 '18 at 15:54
Your code is also vulnerable to query injection, but I assume you're just trying to learn how this works and not actually deploying this code :) imagine what happens when the user uses the password 'OR 1==1' — Rens van der Heijden, Apr 06 '18 at 15:54
`$result2` is not the actual value. You should read the docs about whar you are actually fetching. http://php.net/manual/en/mysqli-result.fetch-field.php — Qirel, Apr 06 '18 at 15:58
Wow haha yeah, I got what you mean, but yes, I haven't started learning about security, I'm just strying to make the register/login work. Thanks Rens van der Heijden. — Nicolás Reyes, Apr 06 '18 at 16:00
Yes Qirel, that seems to be the problem, I'll read it, thanks a lot! — Nicolás Reyes, Apr 06 '18 at 16:00

score 0 · Answer 1 · answered Apr 06 '18 at 15:56

While there are lots of problems with the way you're doing this, you also just don't know how to use the mysqli functions properly, so I'll write an answer related to that, since you'll need to know it for other tasks.

mysqli_fetch_field returns metadata about the fields in the result, not the values. To get the actual data, use mysqli_fetch_assoc:

$row = mysqli_fetch_assoc($result2);
return $row['password'] == $password;

Simple password verification function not working

1 Answers1