0

I am writing a code which compares the user passwords using password verify and outputting the result accordingly. Also, I'm printing a hashed password from database before comparing. But, I am getting the error Fatal error: Call to a member function fetch_assoc() on boolean Here is the DbConnect.php file included in main file

<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "task_manager";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
 die("Connection failed: " . $conn->connect_error);
} 
?>

Here is the main file with an error

<?php
include "DbConnect.php";

 $email = "joshiashish191@gmail.com";
 $user_password = "123456";

 $sql = "SELECT password from users WHERE email = $email";
 $result = $conn->query($sql);


    while($row = $result->fetch_assoc()) {
    echo $row["password"];
    }

 if(password_verify($user_password, $result)){
     echo "password matches!";
 }
 else
     echo "Passwords do not match.";
?>

Whats wrong with this can anyone tell please?

Strooks
  • 183
  • 1
  • 10

1 Answers1

-1

email field expects a string, escaping quotes are missing in your query.

$sql = "SELECT password from users WHERE email = \"$email\"";
niiwig
  • 150
  • 4
  • Great Answer! this worked great. Thanks a lot! – Strooks Sep 26 '18 at 13:12
  • 1
    `$sql = "SELECT password from users WHERE email = '$email'";` is easier to read,write and maintain but would still be open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly Sep 26 '18 at 13:12