This question already has answers here:
The 3 different equals
(5 answers)
Closed 7 years ago.
I'm not a php programmer, so I only know what I have looked up online about the md5 tag.
I am checking to see if passwords match in a php page. I send the password in the php url and retrieve it with this code:
$u_pswd = md5(trim(strip_tags($_REQUEST['pswd'])));
Then I run a query to get the user's password so I can check if they are the same:
$usql = "SELECT user_password FROM ft_users WHERE user_email = '".$u_mail."'";
$ures = mssql_query($usql);
$urow = mssql_fetch_array($ures);
if ($urow['user_password'] = $u_pswd) {
// passwords match
} else {
// passwords do not match
}
My problem is that it says the passwords match every time. For example, if the current password is PASSWORD and I send it a password INCORRECT, the output is:
$_pswd = 64a4e8faed1a1aa0bf8bf0fc84938d25
$urow['user_password'] = 64a4e8faed1a1aa0bf8bf0fc84938d25
Could someone help me out in solving why it is saying the passwords are the same when they are not?
Do not use "=" for comparison. "=" will assign a value and any expression "$var = $value" will be evaluated to true. Use "==" instead.
if ($urow['user_password'] == $u_pswd) { ... }
= is for assigning , in your code you are assigning $u_pswd value to $urow['user_password']
you need to compare those values are equal or not by using == to get required result
$usql = "SELECT user_password FROM ft_users WHERE user_email = '".$u_mail."'";
$ures = mssql_query($usql);
$urow = mssql_fetch_array($ures);
if ($urow['user_password'] == $u_pswd) {
}
else
{
}
Hope it helps.
Related
This question already has answers here:
How do you use bcrypt for hashing passwords in PHP? [duplicate]
(11 answers)
PHP & MYSQL: using bcrypt hash and verifying password with database
(2 answers)
Closed 5 years ago.
i'm trying to make the password_verify match the crypt password in the database, but i'm having a problem, it seems it doesn't match.
I already search for this and i've found that i need to use VARCHAR with a maximum length of 255 and still doesn't work.
Here is the code:
if( isset($_POST['bG9n']) && "bG9naW4") {
$email = $_POST['email'];
$pass= $_POST['pass'];
if($pass) {
$crypt = password_hash($pass,PASSWORD_BCRYPT);
$decrypt = password_verify($pass,$crypt);
}
if(password_verify($pass,$crypt)) {
echo "Sucess"; // It does echo Sucess
}
if (!empty($email) && !empty($pass) && filter_var($email,FILTER_VALIDATE_EMAIL) && password_verify($pass,$crypt)) {
$sql = "SELECT email, pass FROM clientes WHERE email ='$email' AND pass = '$decrypt' ";
$query = $DB_con->prepare($sql);
$query->execute();
$count = $query->rowCount();
if($count == 1){
$_SESSION['email'] = $email;
$_SESSION['pass'] = $decrypt;
header("Location: home.php");
}
else {
echo "<BR>Error";
}
}
Probably is an easy fix but i can't seem to find what's wrong.
Thanks everyone in advance.
It's a normal behaviour. Hash with bcrypt is not deterministic, it differs from launch to launch, so you can't query it.
You have to check if it matches not via mysql but via php.
So, first get it from database, then $isVerified = password_verify($pass, $hashFromDB);
This question already has answers here:
How do I use password hashing with PDO to make my code more secure? [closed]
(3 answers)
Closed 5 years ago.
Okay, so I'm trying to make a register/login code for my personal website.
I had no troubles making the registration form but I'm having some difficulties with the login.
Here's a part of my code:
$stmt = $pdo->prepare("SELECT password FROM members where username = ? ");
$stmt->bindValue(1, $username);
$stmt->execute();
Now to my understanding i need to fetch the first row from my table convert it to a string and then using password_verify to compare that string to whatever the users inputs in the form i created. The problem i have is that it fetches an array and can't really use password_verify to compare a string to an array.
Am I doing something wrong? how should I do this?
tl; dr How do I actually select a hashed password from DB, convert it to a string and then compare that string with the password my user will input.
Thanks.
This library works on
PHP 5.5+: use password_hash
$sql = "SELECT * FROM members WHERE username = ?";
$stmt = $pdo->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
if (password_verify($_POST['password'], $users[0]->password) {
// valid login
} else {
// invalid password
}
} else {
// invalid username
}
This question already has answers here:
Reference - What does this error mean in PHP?
(38 answers)
Closed 6 years ago.
i need to confirm login using Php and mysql. My codes keep bringing 'username and password not correct even when it is. Please where did i get it wrong.
HTML code looks like this
PHP code looks like this
enter image description here
Thank you
issue 1 : $user_name = $_POST['username']; you have used single quotes wrongly . Same for password in the screen shot. http://i.stack.imgur.com/FlUyR.jpg
issue 2 : mysqli_query($CONNECTIONHANDLER, $QUERY) but you are missing connectionhandler.
Full Code changes :
$username = mysqli_real_escape_string($con,$_POST['username']);
$password = mysqli_real_escape_string($con,$_POST['pass_word']);
$rs = mysqli_query($con, "Select username, pass_word from verify where username = '%s' and pass_word = '%s'", $username, $upassword);
$check_user = mysqli_num_rows($rs);
if($check_user>0){
echo "Logged in / valid user ";
} else {
echo "username / password incorrect";
}
change
'$_POST[username]' to $_POST['username'] and same goes for password.
You are actually assigned string values instead of getting them from $_POST array
Remove simple quote
$username = $_POST['username'];
$password = $_POST['pass_word'];
Keep in mind that POST input should ALWAYS be sanitized to avoid injection
I think you are doing it wrong. Also you just posted your username and password on the internet.
The query is redundant. You should just check for the presence of a user with such username and password (for example Select Count(*) from...)
the second control you are doing is superfluous. Also you are declaring a variable inside a while and you are trying to access those values from outside of it.
Also there are some syntactic errors like quotes and stuff that other users already suggested.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm working on a database login system in PHP but one of my users has an exclamation mark in his password which breaks it, The line where it says ($password = $_GET['p'];) is where the password gets passed in
$username = $_GET['u'];
$password = $_GET["p"];
function userLoginIpb($username, $password) { //select the password information froms elected user
$query = mysqli_query($GLOBALS["___mysqli_ston"], "SELECT `members_pass_salt`, `members_pass_hash` FROM `members` WHERE `name` = '$username'");
$results = mysqli_fetch_assoc($query);
$password = md5(md5($results['members_pass_salt']).md5($password));
if ($password == $results['members_pass_hash']) {
return true;
} else {
return false;
}
The issue is your $_GET[] request, since a ! character will be encoded to %21.
Since you're working on the system, do it the correct way instead.
Use POST requests, as you don't want the users to copy paste a link with a password in them.
Use the new functions in PHP, password_hash() with password_verify() as they have a salt build into them making it quite secure and very easy to work with.
Bind values to a SQL string do not blindly put them in there as you are currently open to an easy SQL injection. Adding a password like pass; DROP TABLE members; will break it.
You need to use mysqli_real_escape_string:
<?php
$username = $_GET['u'];
$password = $_GET["p"];
// select the password information froms elected user
function userLoginIpb($username, $password)
{
global $___mysqli_ston;
$s = mysqli_real_escape_string($___mysqli_ston, $username);
$query = mysqli_query($___mysqli_ston, "SELECT `members_pass_salt`, `members_pass_hash` FROM `members` WHERE `name` = '$s'");
$results = mysqli_fetch_assoc($query);
$password = md5(md5($results['members_pass_salt']).md5($password));
return $password == $results['members_pass_hash'];
}
Also take a look at PDO.
This question already has answers here:
Insert data only if record does not exist
(3 answers)
Closed 9 years ago.
I need to have a system where a random password and username are created for each new user.
As such, I need to make sure the username is unique.
However I cant figure out why the code below isn't working. It isn't a syntax issue. I just can't figure out where I have gone wrong logically.
anyway here is what I have tried:
$Password= randomPassword();
$Username = randomPassword();
$UsernameCheckQuery = mysql_query("SELECT * FROM users WHERE username = '".$Username."'");
while (mysql_num_rows($UsernameCheckQuery ) >= 1) {
$Username = randomPassword();
$UsernameCheckQuery = mysql_query("SELECT * FROM users WHERE username = '".$Username."'");
}
I know this topic appears elsewhere on Stack Overflow and on the web. However every question I have seen has been using an if statement to check if the username is already used. In my case I cant see how an if statement would work as the randomPassword function could generated two username that already exist in a row.
Try
while (true) {
$Username = randomPassword();
$UsernameCheckQuery = mysql_query("SELECT * FROM users WHERE username = '".$Username."'");
if (mysql_num_rows($UsernameCheckQuery ) < 1) {
break;
}
}
echo 'The generated username is '.$Username;