-2

I am using the following script to login users, at the moment the users POST a email and password and if correct it logs the user in:

    <?php
/* User login process, checks if user exists and password is correct */

// Escape email to protect against SQL injections
$email = $mysqli->escape_string($_POST['email']);
$result = $mysqli->query("SELECT * FROM users WHERE email='$email'"); 

if ( $result->num_rows == 0 ){ // User doesn't exist
    $_SESSION['message'] = "User with that email doesn't exist!";
    header("location: error.php");
}
else { // User exists
    $user = $result->fetch_assoc();

    if ( password_verify($_POST['password'], $user['password']) ) {

        $_SESSION['email'] = $user['email'];
        $_SESSION['first_name'] = $user['first_name'];
        $_SESSION['last_name'] = $user['last_name'];
        $_SESSION['active'] = $user['active'];

        // This is how we'll know the user is logged in
        $_SESSION['logged_in'] = true;

        header("location: profile.php");
    }
    else {
        $_SESSION['message'] = "You have entered wrong password, try again!";
        header("location: error.php");
    }
}

I have added a column for 'pin' to the registration form and added it to the database and on registration a pin is set, however i am struggling to get the login code above to verify if the entered pin is correct too, the pin is also sent via POST in the login form. i have tried this:

else { // User exists
    $user = $result->fetch_assoc();

    if ( password_verify($_POST['password'], $user['password']) && ( password_verify($_POST['pin'], $user['pin'])  ) {

        $_SESSION['email'] = $user['email'];
        $_SESSION['first_name'] = $user['first_name'];
        $_SESSION['last_name'] = $user['last_name'];
        $_SESSION['active'] = $user['active'];

However i can't seem to get the syntax correct, also password_verify is used for hashed passwords however the pin is not hashed.

How can i modify this login script to check both password and unhashed pin before login?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Jonny P
  • 443
  • 3
  • 11
  • 3
    If you don't store it hashed, just compare like any value... By the way, you're open to [SQL injection](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). You should use [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. – El_Vanja Mar 30 '20 at 23:21
  • 1
    [Escaping](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not enough. – El_Vanja Mar 30 '20 at 23:45

1 Answers1

1

If the pin is not hashed then compare it as a string.

if (password_verify($_POST['password'], $user['password']) && 
      (strcmp($_POST['pin'], $user['pin']) == 0)) {
    // Do you stuff
}
Dharman
  • 30,962
  • 25
  • 85
  • 135
omar jayed
  • 850
  • 5
  • 16
  • this gives me an error: PHP Syntax Check: Parse error: syntax error, unexpected ';' in your code on line 21 $_SESSION['email'] = $user['email']; – Jonny P Mar 30 '20 at 23:46
  • 2
    Note that you do not need the outer parentheses: `-->(strcmp($_POST['pin'], $user['pin']) == 0)<--`. – El_Vanja Mar 30 '20 at 23:47
  • 2
    Also, this could be reduced to `$_POST['pin'] == $user['pin']`. – El_Vanja Mar 30 '20 at 23:51