I'm working on a login page and stumbled across this problem where no matter what password i write, i'm able to log in.
I checked the values of $password, $row['password'], $pwdCheck and all had the values they needed to be.
The hashed password gets saved in a varchar(255). I more than double checked the names and everything i thought of but if you think about something please let me know. As far as i know the problem lies in password_verify.
I know this isn't the best practice of making a login page but for now it works.
Thanks
<?php
if ( isset($_POST['login-submit']) ) {
require '../../files/includes/functions.php';
$mysqli = get_db();
$email = $_POST['email'];
$password = $_POST['password'];
// check if the email is in the database
$sql ='SELECT * FROM taxisvl_diritems WHERE email =?';
$stmt = mysqli_stmt_init($mysqli);
if ( empty($email) || empty($password) ) {
header("Location: /inloggen?error=emptyfields");
exit();
}
else {
// check to see if we can run the query
if ( !mysqli_stmt_prepare($stmt,$sql) ) {
header("Location: /inloggen?error=sqlerror");
exit();
}
else {
// bind the value to the parameter in the query statement
mysqli_stmt_bind_param($stmt, 's', $email);
// run the query
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
// check if we have a result for the given email
if ( $row = mysqli_fetch_assoc($result) ) {
// check the password
$pwdCheck = password_verify($password, $row['password']);
if ( $pwdCheck = true) {
// user is logged in
// create sessions to retreive users info
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $row['email'];
$_SESSION['name'] = $row['name'];
header("Location: /dashboard");
exit();
}
else {
header("Location: /inloggen?error=wrngpassword");
exit();
}
}
else {
header("Location: /inloggen?error=wrngemail");
exit();
}
}
}
} else {
echo 'Login not set';
}
?>```
