Password Hashing Not Working For MySQL

Question

I have been on here all day and looked at all of the answered wuestions and also looked at tutorials online regarding password hashing. It seems as though I am doing it right and it hashes the password in the database but when I go to login it tells me that the password is incorrect. Here is the script, any help would be greatly appreciated.

Login.PHP

if (isset($_POST['username'])){
//escapes special characters in a string
$username = stripslashes($_REQUEST['username']);
$username = mysqli_real_escape_string($con,$username);
$password = $_REQUEST['password'];
$password = mysqli_real_escape_string($con,$password);
//Checking is user existing in the database or not
$query = "SELECT * FROM `users` WHERE username='$username'";
$result = mysqli_query($con,$query) or die(mysql_error());
$rows = mysqli_num_rows($result);
$row = mysqli_fetch_array($result);
$hash = $row['password'];
if (password_verify($password, $hash)) {
    $_SESSION['username'] = $username;
    // Redirect user to index.php
    $position = $row['position'];
    if ( $position == "freelancer" ){
    header("Location: ../freelancer/index.php");
    }
    elseif ($position == "employer"){
    header("Location: ../employer/index.php");
    }
}
else{
echo "<div class='form'>
<h3>Username/password is incorrect.</h3>
".$hash." " .$password. "
<br />Click here to <a href='login.php'>Login</a>
</div>";

Register.PHP (Piece of Code that Hashes the Password)

   //BEGINNING CODE HERE
$password = stripslashes($_REQUEST['password']);
$password = mysqli_real_escape_string($con,$password);
$hashPassword = password_hash($password, PASSWORD_DEFAULT);
$sql_u = "SELECT username FROM users WHERE username='$username'";
$sql_e = "SELECT email FROM users WHERE email='$email'";
$res_u = mysqli_query($con, $sql_u);
$res_e = mysqli_query($con, $sql_e);
if (mysqli_num_rows($res_u) > 0) {
$name_error = "Sorry... username already taken";
}
else if(mysqli_num_rows($res_e) > 0){
$email_error = "Sorry... email already taken";
}
else{
$query = "INSERT INTO users (username, email, password)
VALUES ('$username', '$email', '$hashPassword')";
$results = mysqli_query($con, $query);
mkdir("../profilePics/" . $username);
echo 'You Have Registered Successfully!<br>
To Login Go To <a href="login.php">Our Login Page</a>
';
exit();
}
}
?>

I know there may be more things wrong with this code But I am only interested in getting a basic understanding of password hashing.

Common mistake is the password column's length is too short. It needs to be 60 characters. — Script47, May 29 '18 at 02:38
You stored your hashed password in `hash` field. You better change - `$hash = $row['password'];` - to - `$hash = $row['hash`'];` — Karlo Kokkak, May 29 '18 at 02:39
It could be that the length of your password field is not long enough and the data gets truncated. — hungrykoala, May 29 '18 at 02:39
Secondly, what is the `password` column and what is the `hash` column? Are you storing the password in plain text too? — Script47, May 29 '18 at 02:39
Thirdly, seeing as you are using `mysqli_*`, why not make use of prepared statements. — Script47, May 29 '18 at 02:40
No its not the hash field. Its the password field. Hash is something totally different — , May 29 '18 at 02:40
Then that's the problem `$hashPassword` is stored in `hash` while you're getting the password in `password` column — hungrykoala, May 29 '18 at 02:42
What is the difference between `$hash = $row['password'];` and `$hashing = $row['password'];`? — Script47, May 29 '18 at 02:42
oddly enough though all the hashes are coming out to 32 characters — , May 29 '18 at 02:44
No im storing the hashed password in password and getting the password from the appropriate password field. Hash is for emails. They are also 2 different scripts, one for logging in and one for registration. I know this may be confusing but just trust me when I say ignore hash. When I echo out the results of $password and the password entered it gives me the password the user entered in plain text and the hashed password in the database — , May 29 '18 at 02:47
@JosephAlvini if I understand your last comment correctly, you *are* storing the password in plain text too, in which case, you are undoing the work that your hash is supposed to be doing. Please, don't store passwords in plain text. — Script47, May 29 '18 at 02:52

Wils · Accepted Answer · 2018-05-29T02:55:03.700

0

$password = mysqli_real_escape_string($con,$password);

You password is now escaped and it certainly won't match the hash. Better remove this line and look for a better way to ensure the string is safe.

What does escape means? if your password contains " it will turns into \"

FYI Should I mysql_real_escape_string the password entered in the registration form?

edited May 29 '18 at 02:55

answered May 29 '18 at 02:53

Wils

1,178
8
24

1

*cough* The better way would be prepared statements. *cough* – Script47 May 29 '18 at 02:54
as far as I know, the password verify did manage to deal with security of the string passing in. – Wils May 29 '18 at 02:56
1

Exactly What it was. And script147 was partially correct also. Thanks Guys, I am really trying to learn how to build around security rather than just building carelessly – May 29 '18 at 03:04
1

@JosephAlvini FYI: I mentioned [this](https://stackoverflow.com/questions/50575571/password-hashing-not-working-for-mysql/50575733?noredirect=1#comment88160363_50575571) in the comments 27 minutes earlier... Secondly, if you used prepared statements you wouldn't have this issue. – Script47 May 29 '18 at 03:10
@Script147 Sorry about that. I genuinely missed it. Also as far as the prepared statements go I am going to look into that. I am new to PHP so I am learning from the ground up. – May 29 '18 at 03:37
@JosephAlvini you must have also missed my username (`Script47`)? :P – Script47 May 29 '18 at 03:46
@Script47 OOPS. Im sorry I am rushing around and real tired. I had a long day. Thanks though man, I do appreciate the help. I have been diving into PHP Dev and love it and since you told me about Prepared statments I have been on w3schools looking at it and implementing it into my own code. Hey BTW, whats your stance on OOP? I read good and bad stuff about it and wanna know if its worth the effort. None the less people seem to be very opinionated about it. – May 29 '18 at 05:16

Password Hashing Not Working For MySQL

1 Answers1