Password Hash and password verify with PDO in PHP

Question

I am trying to get my hashed passwords from my database with no success so far. I'm hoping someone can find the error(s) in my code:

Signup.php:

    $user_name = filter_input(INPUT_POST, 'user_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
    $user_pass = filter_input(INPUT_POST, 'user_pass', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
    $user_email = filter_input(INPUT_POST, 'user_email', FILTER_SANITIZE_EMAIL);
    $hashed_password = password_hash($user_pass, PASSWORD_DEFAULT);
    $query = "INSERT INTO users (user_name, user_pass, user_email) VALUES (:user_name, :user_pass, :user_email)";
        $statement = $db->prepare($query);
        $statement->bindValue(':user_name', $user_name);
        $statement->bindValue(':user_pass', $hashed_password);
        $statement->bindValue(':user_email', $user_email);
        $statement->execute();
        $insert_id = $db->lastInsertId();

        echo 'Successfully registered! You can now <a href="./login.php">login</a> and start posting!';

Login.php:

$user_name = filter_input(INPUT_POST, 'user_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
           $user_pass = filter_input(INPUT_POST, 'user_pass', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
           $hashed_password = password_hash($user_pass, PASSWORD_DEFAULT);

           if (!isset($_POST['user_name'])){
               $errors[] = 'The username field must not be empty.';
           }
           if (!isset($_POST['user_pass'])){
               $errors[] = 'The password field must not be empty.';
           }
           else{
               $query = "SELECT user_id, user_name, user_level FROM users WHERE `user_name` = :user_name AND `user_pass` = :user_pass";
               $statement = $db->prepare($query);
               $statement->bindParam('user_name', $user_name, PDO::PARAM_STR);
               $statement->bindParam('user_pass', $user_pass, PDO::PARAM_STR);
               $statement->execute();
               
               $user = $statement->fetch();
               $count = $statement->rowCount();

                if ($user && password_verify($user_pass, $hashed_password)){
                    $_SESSION['signed_in'] = true;
                    $_SESSION['user_id'] = $user['user_id'];
                    $_SESSION['user_name'] = $user['user_name'];
                    $_SESSION['user_level'] = $user['user_level'];
                    echo 'Welcome, ' . $_SESSION['user_name'] . '. <a href="./index.php">Proceed to the forum home screen</a>!';
                }elseif($count == 0){
                    echo 'You have supplied a username and password that do not match. Please try again.';
                }

This code works for the users that have unhashed passwords, but the user that has a hashed password keeps saying that the username and pass do not match.

Any help would be appreciated!

My guess is that it is related to the filters. I personally very much align with this [answer](https://stackoverflow.com/a/20385300/231316) which is a great read. Also, _This code works for the users that have unhashed passwords_, please tell me you are rectifying this situation. — Chris Haas, Apr 02 '22 at 15:34
@ChrisHaas Yes the users with unhashed passwords are just test users, not actual users. :) I will give your suggestions a go, thank you. — mayo0o, Apr 02 '22 at 16:10

Password Hash and password verify with PDO in PHP

0 Answers0