0

UPDATE: I just want to update to share how I finally solved the issue I was having with the password_hash function in case others run into the same problem. I did not have the size of my password table long enough to accommodate the size of the hashed password, which worked fine for MD5. After changing the password table to 255 characters, these functions worked how they should.

I am adding users to my database and trying to use password_hash with the password they submit. Once added, users need to be able to log in. I am trying to verify the password with verify_password but it keeps coming back false.

I have been able to add users with password_hash but unable to log in with added users using the password_verify method. Strangely, if I add a user with MD5 within phpmyadmin, I can log them in no problem using md5($password). If I add users with md5 through my code, even if the passwords match, I am unable to log them in with this method.

I have been searching and searching and can't seem to figure out what I am doing wrong.

This was meant as a test to see if I can log in users. I know MD5 is not a great way. If I manually add a user and use the MD5 method in phpmyadmin, this code works:

if(md5($password) === $hashed) {
  // log in user code
}

When adding the password, I am encrypting it like this:

$password = md5($_POST['password']);

Then I add it to an array and insert it into the database. Once again, this is just a test.

When I try using the password_hash function, which is what I would like to do, password_verify does not work. This is what I am trying to do.

INSERT FUNCTION:

function insertAgent($conn) {
    $firstname = testdata($_POST['firstname']);
    $middlename = testdata($_POST['middlename']);
    $lastname = testdata($_POST['lastname']);
    $phone = testdata($_POST['phone']);
    $email = testdata($_POST['email']);
    $position = testdata($_POST['position']);
    $agency = testdata($_POST['agency']);
    $password = password_hash($_POST['password'], PASSWORD_DEFAULT);

    $agentArray[] = array(
            'AgentId' => '',
            'AgtFirstName' => $firstname,
            'AgtMiddleInitial' => $middlename,
            'AgtLastName' => $lastname,
            'AgtBusPhone' => $phone,
            'AgtEmail' => $email,
            'AgtPosition' => $position,
            'AgencyId' => $agency,
            'password' => $password
        );

    foreach ($agentArray as $array) {
        $query = "INSERT INTO agents";
        $result = $conn->query($query);
        $query .= " (`".implode("`, `", array_keys($agentArray[0]))."`) VALUES";

        foreach ($agentArray as $array) {
            $query .= " ('".implode("', '", $array)."'),";
        }

        $query = substr($query,0,-1); // remove last comma

        $result = mysqli_query($conn, $query) or die(mysql_error());

LOGIN:

if(!empty($_POST["login"])) {

            $useremail = trim($_POST['useremail']);
            $password = trim($_POST['password']);

            $pass_query = mysqli_query($conn, "SELECT password FROM agents WHERE AgtEmail='$useremail'");
            $pass = mysqli_fetch_assoc($pass_query);
            $hashed = $pass['password']; 

            if(password_verify($password, $hashed)) {
                $result = mysqli_query($conn, "SELECT * FROM agents WHERE AgtEmail='" . $useremail . "'");
                $row  = mysqli_fetch_assoc($result);

                if(is_array($row)) {
                    $_SESSION["AgentId"] = $row['AgentId'];
                }
            } else {
                $message = "<p class='errorForm'>Invalid Email or Password</p>";            
                }
            }

The hashed version in the DB ($hashed) matches the md5 version from the user but it results in false unless I manually add it.

JayG.Dev
  • 321
  • 1
  • 13
  • `die(mysql_error())` You didnt connect with the `mysql_` API you connected with the `mysqli_` API so you have to use ALL `mysqli_` API Calls – RiggsFolly May 31 '19 at 22:26
  • https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php/6337021#6337021 – Dharman May 31 '19 at 22:27
  • Does the hashed password get inserted correctly into your database? – showdev May 31 '19 at 22:28
  • 1
    Your `insertAgent` function will not work – RiggsFolly May 31 '19 at 22:29
  • Mixing `mysql` and `mysqli` seems secondary to the actual problem; `mysql` is only used for outputting errors and wouldn't necessary cause `password_verify` to fail. The presence of `$result = $conn->query($query)` does seem odd though. – showdev May 31 '19 at 22:33
  • @RiggsFolly It might be helpful to explain why it will not work. – showdev May 31 '19 at 22:33
  • 1
    For a start you `$result = $conn->query($query);` when `$query = `"INSERT INTO agents";` with no params. – RiggsFolly May 31 '19 at 22:35
  • **Error checking** but if you cannot be bothered, Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any mysqli_ errors to generate an Exception that you can see on the browser as well as normal PHP errors. – RiggsFolly May 31 '19 at 22:35
  • 1
    Hey everyone, I am aware this is insecure code. I am just trying to make these functions work to get a better understanding. I would not use this in a live application. I will fix the mysqli inconsistencies and see if that helps. – JayG.Dev May 31 '19 at 22:36
  • If you used a bound parameterised query, it would actually be easier – RiggsFolly May 31 '19 at 22:45
  • Thank you for all the advice everyone. I added the error checking to the top of my script and re-wrote the query. Everything works no problem except the users can't log in and I can't seem to figure out the problem. I discovered that the login is only working for users that already existed in the DB previously before any queries were made. For anyone new that I add, even manually, they are unable to log in. – JayG.Dev Jun 01 '19 at 00:09

0 Answers0