PHP HASHING password not hashed

Question

For the hashing in PHP I wrote this, however it isn't working. When I go to the database on phpMyAdmin the password isn't hashed. I checked on some forums, but no solution. I did the test, and it worked on the browser when I type echo "smthg"; echo password_hash(...), but not in the database. I don't know the solution. Would really appreciate your help.

This is the command:

else {
    $hashedpwd = password_hash ($password, PASSWORD_DEFAULT);
    //INSERT THE USERT INTO THE DATABASE
    $sql = "INSERT INTO users (last_name, first_name,email,username,pwd)
            VALUES ('$Name', '$Prenom', '$username','$email', '$password');";
    mysqli_query($conn,$sql);
    header("Location: ../signup.php?signup=done");
    exit();
}

Because you are use `$password` instead of `$hashedpwd` in your query? — jingx, Jul 10 '18 at 19:22

RiggsFolly · Answer 1 · 2018-07-10T16:52:35.183

You are not storing the hashed password you are storing the entered password

else {
    $hashedpwd = password_hash ($password, PASSWORD_DEFAULT);

    //INSERT THE USERT INTO THE DATABASE
    $sql="INSERT INTO users 
                    (last_name, first_name,email,username,pwd) 
            VALUES ('$Name', '$Prenom', '$username','$email', '$hashedpwd')";
// change made here ------------------------------------------^^^^^^^^^^^
     mysqli_query($conn,$sql);
     header("Location: ../signup.php?signup=done");
     exit();
}

BIG NOTE Your script is wide open to SQL Injection Attack Even if you are escaping inputs, its not safe! Use prepared parameterized statements in either the MYSQLI_ or PDO API's

Example using paramertised query

else {
    $hashedpwd = password_hash ($password, PASSWORD_DEFAULT);

    //INSERT THE USERT INTO THE DATABASE
    $sql="INSERT INTO users 
                    (last_name, first_name,email,username,pwd) 
            VALUES (?,?,?,?,?)";

     //mysqli_query($conn,$sql);

    $stmt = $conn->prepare($sql);
    $stmt->bind_param('sssss', $Name, $Prenom, 
                              $username, $email, 
                              $hashedpwd);
    $stmt->execute();
    header("Location: ../signup.php?signup=done");
    exit();
}

PHP HASHING password not hashed

1 Answers1