-3

I want to encrypt the password and store it in the database but I do not really understand how to use password_hash. I had found some tutorials but it doesn't work.

The below is connnection.php

<?php
    $conn = new mysqli("localhost","root","","mydata");
    if (!$conn) {
        die('Please Check your connection'/mysqli_error($conn));
    }
?>

The below is login.php

<?php
require_once('connection.php');

    $msg="";
    if (isset($_POST['login'])) {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $password_encrypted = password_hash($password, PASSWORD_DEFAULT);

        $sql = "SELECT * FROM login WHERE UserName=? AND Password=? ";
        $stmt = $conn->prepare($sql);
        $stmt->bind_param("ss",$username,$password_encrypted);
        $stmt->execute();
        $result =  $stmt->get_result();
        $row = $result->fetch_assoc();

        session_regenerate_id();
        $_SESSION['username'] = $row['UserName'];
        session_write_close();

        if($result-> num_rows==1 && $_SESSION['username']=="admin")
            {   header("location:home.php"); }
        else{   $msg = "Username or Password is Incorrect!!!";}
    }

?>
Pejman Kheyri
  • 4,044
  • 9
  • 32
  • 39
newbird
  • 39
  • 1
  • 4
  • When you use `password_hash` you then store that hash in the database and check that the correct password is supplied at logon using `password_verify`. You do NOT use `password_hash` to verify the password as you have here – Professor Abronsius Mar 25 '21 at 08:39
  • Your questin has been answered https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords – zoldxk Mar 25 '21 at 08:41
  • 1
    (password) hashing != encrypting, suggested [reading](https://security.stackexchange.com/questions/122603/whats-the-difference-between-a-hashed-and-an-encrypted-password) – berend Mar 25 '21 at 08:43

1 Answers1

-2
Try the below code for verifying password

<?php
require_once('connection.php');

    $msg="";
    if (isset($_POST['login'])) {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $password_encrypted = password_hash($password, PASSWORD_DEFAULT);

        $sql = "SELECT * FROM login WHERE UserName=? ";
        $stmt = $conn->prepare($sql);
        $stmt->bind_param("ss",$username);
        $stmt->execute();
        $result =  $stmt->get_result();
        $row = $result->fetch_assoc();
        if ($result->num_rows > 0) {
            while($row){
                if(password_verify($row['password'], $password_encrypted)) {
                    session_regenerate_id();
                    $_SESSION['username'] = $row['UserName'];
                    session_write_close();
                    if ($_SESSION['username']=="admin") {
                        $msg = "Login successfully!!!";
                        header("location:home.php");
                    }else{
                        $msg = "Login successfully!!!";
                        header("location:user.php");
                    } 
                }else{
                    $msg = "Username or Password is Incorrect!!!";
                }
            }
        }else{
            $msg = "Username or Password is Incorrect!!!";
        }
    }
?>
Rachit Patel
  • 1
  • 1
    Your approach is incorrect, because you try to compare two hashes (which will never be the same). Seems like you would also benefit from reading [how it's actually done](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords). – El_Vanja Mar 25 '21 at 09:47