1

I checked various similar reports, but could not find a solution, so any help would be greatly appreciated.

I am trying to create a PHP signup/login form. Everything seems to be working properly, except for the password verification. Here is the part of the code where username/password are defined and requested from the database for verification:

    $username = $_POST['username'];
    $pwd = $_POST['pwd'];
....
....
....
    else{
            $sql = "SELECT * FROM users WHERE username=?;";
            $stmt = mysqli_stmt_init($conn);
            if(!mysqli_stmt_prepare($stmt, $sql)){
              echo "MySQL Error!";
              exit();
            }
             else{
               mysqli_stmt_bind_param($stmt, 's', $username);
               mysqli_stmt_execute($stmt);
               $result= mysqli_stmt_get_result($stmt);
               if ($row = mysqli_fetch_assoc($result)) {
                 $pwdCheck = password_verify($pwd, $row['password']);
                 if($pwdCheck == false){
                 header("Location: ../login.php?error=wrongpassword");
                 exit();
                }
                else if($pwdCheck == true){
                session_start();
                $_SESSION['userId'] = $row['id'];
                $_SESSION['username'] = $row['username'];
                header ("Location: ../login.php?login=success");
                exit();
               }

Here are some things to take into consideration:

  1. I set the passwords table in the database to LONGTEXT and varchar(250) - still no luck.

  2. Here is the output from var_dump($pwdCheck, $pwd, $row['password'])

    bool(false) string(8) "testtest" string(60) "$2y$10$nSMyRdh5RcjlKu.vaQMLHeRjmfYTqkjjdnM7HI4Di/294EBCpE1JG"

It returns bool(false), while "testtest" is the correct password and the string displayed by var_dump is the correct hash from the password database table. So I am really not sure what went wrong here.

Here is how the password is hashed(note that this is done in a separate PHP script, not sure if matters)

else{

$sql = "INSERT INTO users (username, mailuid, password, managername, teamname) VALUES (?,?,?,?,?)";
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, $sql)){
echo "MySQL Error";
}
else{
$hashpwd = password_hash($password, PASSWORD_DEFAULT);
mysqli_stmt_bind_param($stmt, "sssss", $username, $mailuid, $hashpwd, $managername, $teamname);
mysqli_stmt_execute($stmt);
  header("Location: ../signup.php?signup=success");
exit();
}

Everything else works as expected. The username for example is fetched successfully from the DB(username table). It looks that the hashed pass is also fetched from the passwords DB table, but the verification still fails.

the_arsenal_bg
  • 13
  • 3
  • Can you show us the code where you do `password_hash` for saving into the database, including any steps prior that might be, say, trimming, escaping, or otherwise manipulating the value? – ceejayoz Oct 16 '20 at 20:26
  • This is not the password that generated this hash. For `testtest` I get `$2y$10$nSMyRdh5RcjlKu.vaQMLHeRKAgKNeFVd1c/Y7RxoleTLSpW70g.iW` – Dharman Oct 16 '20 at 20:31
  • @Dharman The hash will be different each time. – ceejayoz Oct 16 '20 at 20:33
  • @ceejayoz Not if I provide the same salt, right? – Dharman Oct 16 '20 at 20:33
  • Please [edit] your post to include any additional information you have to your question. Avoid adding this in the comments, as they are harder to read and can be deleted easier. The edit button for your post is just below the post's tags. – Dharman Oct 16 '20 at 20:37
  • Is `username` a unique column? – Dharman Oct 16 '20 at 20:38
  • Yes, it is a column inside a DB table named "users" – the_arsenal_bg Oct 16 '20 at 20:47
  • But is it unique? Do you have records with the same username? – Dharman Oct 16 '20 at 20:47
  • No, this is a test login form and there is just a single user in the db. I deleted it and created a new one, but authentication still fails – the_arsenal_bg Oct 16 '20 at 20:53
  • Try with a different password. Make sure that `$password` is not modified in any way before hashing – Dharman Oct 16 '20 at 20:54

1 Answers1

1

I've created a simple gist where you can see a version of your code which I managed to run correctly and got the correct results:

  • a user can signup
  • a user can sign in
  • a user can sign out

I find that your code was correct, in broad strokes, but I also believe you must have mixed up some of your variables and field names.

In your question you do a var_dump of $row['pwdUsers'], a field never seen in the insert statement. You also select the field username when fetching data to compare to the one submitted for login, but in the insert statement the variable that you insert into that field is named $mailuid (while a variable $username sits next to it).

Given that when extracted and applied in a controlled environment your code works, I'd wager your error is due to a possible mix-up caused by the previously mentioned confusing nomenclatures, or due to some other logic hidden from us in the snippets you provided.

lucasreta
  • 965
  • 2
  • 10
  • 25
  • 1
    Thank you for your time! It was really important for me that someone more experienced in PHP confirm that the password_hash / verify part in the code is correct. Yes, I revised the script and found the error - it was in the signup script and not in the login. The password was defined as $pwd at the beginning of the script and hashed as $password later with password_hash. Everything works correctly now. THANKS! – the_arsenal_bg Oct 17 '20 at 07:41
  • Glad I was able to help! I like this sort of homemade simple login systems, so it's always a pleasure to dive in. I'd recommend when moving forward to read some of the answers [in this post](https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication/477578#477578), for they contain useful advice that can help securing your application. – lucasreta Oct 17 '20 at 07:48