Whats wrong with this PHP code, how to validate the entered password?

Question

require_once "require.php";

$con = new mysqli($hn,$un,$pas,$db);

if ($con->connect_error) 
{
     die("Unbale to connect to the Server");
}

if (isset($_POST["login"])) 
{
    $uname  = $_POST["uname"];
    $lpass  = $_POST["lpass"];
    $query  = "SELECT PASSWORD FROM users WHERE username='$uname'";
    $result = $con->query($query);
    $dpass  = $result->fetch_assoc()['password'];

    if ($dpass==$lpass) 
    {
        echo "Passwords Match";
    }
}

I'm trying to match the password that the user has entered and the one in the database, I don't know if the way i have used is the right way of getting the password, any help would be appreciated.

please for the sake of your users do not store passwords in plain text — Mischa, Jun 10 '18 at 11:25
You should read about [password hashing](https://stackoverflow.com/questions/1602776/what-is-password-hashing). It's fine as a learning exercise, but in any production system it's *unforgivably* wrong to store your users passwords in plain text. — user229044, Jun 10 '18 at 11:26
Not to mention blatant SQL injection. When users realise that using single quotes in passwords make your app crash, they'll soon figure out how to log into the site with any arbitrary user. — Álvaro González, Jun 10 '18 at 11:29
Thank you all for your suggestions, and yes I know about the security issue with my code, But the site that Im making is only for learning purpose, and I'll definitely check out password hashing @meagar — , Jun 10 '18 at 12:11
I understand bad practices in live sites (legacy code can be really hard to fix) but why care learning them? :) — Álvaro González, Jun 11 '18 at 07:40

score 1 · Accepted Answer · answered Jun 10 '18 at 11:37

require_once "require.php";

$con = new mysqli($hn,$un,$pas,$db);

if ($con->connect_error) 
{
     die("Unbale to connect to the Server");
}

if (isset($_POST["login"])) 
{
    $uname  = $_POST["uname"];
    $lpass  = $_POST["lpass"];
    $query  = "SELECT PASSWORD FROM users WHERE username='$uname'";
    $result = $con->query($query);
    $dpass  = $result->fetch_assoc()['password'];

    $newhash = password_hash($dpass, PASSWORD_DEFAULT);

    if (password_verify($lpass, $newhash)) {
    echo 'Password is valid!';
    } else {
        echo 'Invalid password.';
    }
}

Try like this... password verify is a better practice

score 1 · Answer 2 · answered Jun 10 '18 at 11:51

Please read the comments. Password in plain text are really no good idea). I answer you just on learning purpose. Don't do this in real live production!

But to go on your code. $result->fetch_assoc() returns an Array. So you have to loop over it or address it right. This example expects a result from the query. So you have to check there is a result, else you'll get an error.

Take a look at your Query LIMIT 1 and $result->fetch_assoc() and then the $dpass[0]['password']

 <?php

require_once "require.php";

$con = new mysqli($hn, $un, $pas, $db);

if ($con->connect_error) {
    die("Unbale to connect to the Server");
}

if (isset($_POST["login"])) {

    $uname  = $_POST["uname"];
    $lpass  = $_POST["lpass"];
    // LIMIT1
    $query  = "SELECT passwordFROM users WHERE username='$uname' LIMIT 1";
    $result = $con->query($query);
    // fetch all
    $dpass  = $result->fetch_assoc();

    // Check there is 1 result
    if ($result->num_rows == 1) {

        // check your password
        if ($dpass == $lpass[0]['password']) {
            echo "Passwords Match";
        } else {
            echo "Wrong Password";
        }

    // No User match
    } else {
        echo "No User foound";
    }

} else {}

I didn't try the example, but it should work.

Whats wrong with this PHP code, how to validate the entered password?

3 Answers3