0

Hello and thank you for your help in advance

I am currently creating a system where when a user sign-up he/she is registered in a database and their password is hashed. So far so good.

My issue appears when I attempt to log in after the creation. I have no issue loggin in with the hashed password (eg. $2y$10$1p7k9tPy.eU27q7rSHbeaer) but am unable to log in with the 'real' password (eg. playstation123) as it seems the system doesn't detect it.

    if( count($user) == 0) {
    $error_message = 'login+not+found';
    header("Location: /login/error/$error_message");
    exit();
    }

so i receive an output in the browser with 'login+not+found'.

I believe the issue is related to this part:

if (strlen ($password) < 8 || strlen($password) > 25) {
 $error_message = 'password+issue';
 header ("Location: /signup/error/$error_message");
 exit(); 
}

$repeatPassword = $_POST['repeat_password'];

if ( $repeatPassword !== $password){
$error_message = 'password+issue';
header("Location: /signup/error/$error_message");
exit();
}

try{

$q = $db->prepare('INSERT INTO users (name, last_name, age, email, password)
VALUES (:name, :last_name, :age, :email, :password)');

$hashedpassword = password_hash($password, PASSWORD_DEFAULT);

$q -> bindValue(':name', $firstName);
$q -> bindValue(':last_name', $lastName);
$q -> bindValue(':age', $age);
$q -> bindValue(':email', $email);
$q -> bindValue(':password', $hashedpassword);
$q->execute();
$user = $q->fetchAll();
$newUser = 'Signup+Successful';
header("Location: /login/success/$newUser");
exit();

} catch(PDOException $ex){
echo $ex;
}
SurrenderAt20
  • 55
  • 6
  • 3
    You'll need `password_verify` to check the password when logging in a user. That it doesn't appear in any of this code is likely your problem. – ceejayoz Aug 06 '21 at 13:17
  • You need to apply the same hash to the password entered on login... – Gert B. Aug 06 '21 at 13:20
  • @ceejayoz that could definetly be the issue. Is that something there should be done within the same area as to where the password is being hashed? – SurrenderAt20 Aug 06 '21 at 13:20
  • @gertB I am not sure I am entirely following you here? $q -> bindValue(':password', $hashedpassword); Like so in the login part? – SurrenderAt20 Aug 06 '21 at 13:23
  • Don't bind the password. Just select the hash from the db for the requested user then use the input and db values in the verify function. – user3783243 Aug 06 '21 at 13:29

1 Answers1

-2

You might use password_verify for verification of the login credentials. Here is the password-verify

Captain Planet
  • 408
  • 3
  • 19