password_verify() doesnt work when fetch from database

Question

What wrong with my code? please need some help cause I dont see any problem. but still password_verify doesnt work.

public function login($username, $password){
    global $db;
    $sql = 'SELECT id,password FROM '.DB_PREFIX.'admin WHERE username="'.$username.'"';
    $result = $db->query($sql);
    $row = $result->fetch_assoc();
    $pass = $row['password'];
    if (password_verify($password,$pass)) {
        echo "Valid";
    }else{
        echo "Invalid";
    }
}

This is the password hashing and then save to DB

public function addnewadmin($username,$password)
{

    global $db;
    $hash = password_hash($password, PASSWORD_DEFAULT);
    $sql = "INSERT INTO admin (username, password) VALUES ('".$username."', '".$hash."')";
    $result = $db->query($sql);

    return true;

}

What is `$row` ? Also, please use prepared statements, you're vulnerable to SQL injection. — Jules R, Dec 11 '18 at 08:17
And please show the code that generates the hash too? also, do you modify $password at all between the request and `login`? — Jonnix, Dec 11 '18 at 08:20
Take password, hash it and compare with value in database __visually__. — u_mulder, Dec 11 '18 at 08:21
try with PASSWORD_BCRYPT password_hash($password, PASSWORD_BCRYPT); — Rohit Dhiman, Dec 11 '18 at 08:30
How does it fail, does it just send "invalid" for every request? Where does the "id" column come from - is that an AUTO_INCREMENT? What's the DB_PREFIX value doing there, it's not in your INSERT statement? BTW, please add the MYSQL tag if that's the database you're using. — Dougie, Dec 11 '18 at 08:30
@julesR I fetched it in the function login(), the value of $pass is the hashed value from the DB — Kevin Dave Gerona, Dec 11 '18 at 08:30
yes it echos "invalid" and yes the id is just auto increment, I am sorry for the mistake in my post this is just my first post here. — Kevin Dave Gerona, Dec 11 '18 at 08:32
Just checking, what's the database definition of your `password` column? — Jonnix, Dec 11 '18 at 08:32
Please post the code for your login() function. Try setting ```display errors``` see http://php.net/manual/en/function.ini-set.php so you'll get any error messages sent to your browser. — Dougie, Dec 11 '18 at 08:34
Can't see anything wrong then. My only suggestion is that maybe something is changing the password string somehow somewhere between the request and getting into one or both of these methods. — Jonnix, Dec 11 '18 at 08:48
I tried, echo "$password" and echo "$pass" , but it really shows the expected result just the password_verify() always returning "invalid" — Kevin Dave Gerona, Dec 11 '18 at 09:01
You are inserting into `admin` and reading from `admin`. If DB_PREFIX is non-null, then they are different tables. — Phylogenesis, Dec 11 '18 at 09:03

Jules R · Answer 1 · 2018-12-11T08:57:43.583

0

Let's do this properly.

First, use prepared statements to get rid of SQL injection:

$stmt = 'SELECT id,password FROM '.DB_PREFIX.'admin WHERE username = ?';
$stmt->execute($username);

Then, and I guess that was the problem, fetch the result.

$row = $stmt->fetch(PDO::FETCH_ASSOC);
$pass = $row['password'];

And now, you can verify the password.

edited Dec 11 '18 at 08:57

answered Dec 11 '18 at 08:35

Jules R

553
2
18

`FROM ? admin` ? – Jonnix Dec 11 '18 at 08:36
Sure, though `FROM ?` won't always work. identifiers aren't generally allowed to use placeholders. – Jonnix Dec 11 '18 at 08:38
Does not work in [pdo](https://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-or-column-name-as-parameter) nor [mysqli](https://stackoverflow.com/questions/11312737/can-i-parameterize-the-table-name-in-a-prepared-statement) – DarkBee Dec 11 '18 at 08:39
I changed it already but still not working, when i tried to echo $pass it returns the value from the db – Kevin Dave Gerona Dec 11 '18 at 08:42

password_verify() doesnt work when fetch from database

1 Answers1