How to password_verify() with hash from database - php

Attempting to verify the hash password from the database, with the user input via POST. After some brief research it seems the issue may have something to do with not being able to convert the mysqli_query to a string though I do not know how to do that properly, hence the fetch_object() etc which I added from another SO question. I have also adequately accounted for the length of the has with the column set for varchar(255). Appreciate any help or guidance, thanks.
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "test";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$password = $_POST['password'];
$db_password = mysqli_query($conn, 'SELECT password FROM sec')->fetch_object()->password;
if (password_verify($password, $db_password)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
?>

First get the password hash from the database,then convert the user input password in the hash value.Compare these two values by passing through the function password_verify(), then you will get the proper result.

$password = "test";
$hash = "$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e";
if (password_verify($password, $hash)) {
echo "Success";
}
else {
echo "Error";
}
OR
You can use this one too
$verify=password_verify($_POST['passwrd'],$row[2]);
if($verify){
$_SESSION["usrname"]=$usrname;
echo "Correct";
}
else {
echo "user: " . $usrname. "<br>";
echo "pass: " . $hash. "<br>";
echo "db: " . $row[2]."<br>";
echo "Wrong Username or Password";
}

Related

I'm making a simple Login system using hashed password and session. Login page doesn't recognize Hash from different register page

I'm making a simple Login system using a hashed password and session, the hashed password is being set in another page. How can I make the code recognize the hash which is set in another page?
<?php
session_start();
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "usersystem";
$conn = new mysqli($servername, $dbusername, $dbpassword, $dbname);
$Username = $_POST["Username"];
$Password = $_POST["Password"];
$_SESSION['user'] = "";
$hash = password_hash($Password, PASSWORD_BCRYPT);
$sql = "SELECT * FROM users WHERE Username = '$Username'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
if (password_verify($Password, $hash)) {
$_SESSION['user'] = $_POST["Username"];
echo($_SESSION['user']);
}
else {
echo("Incorrect Username");
}
}
else {
echo("Incorrect Password");
}
$conn->close();
?>
The register page where the data is inserted into the database:
<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "usersystem";
$conn = new mysqli($servername, $dbusername, $dbpassword, $dbname);
$Username = $_POST["usrnm"];
$Password = $_POST["psw"];
$hash = password_hash($Password, PASSWORD_BCRYPT);
$sql = "INSERT INTO users (Username, Password) VALUES ('$Username', '$hash')";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
Consider what you're doing here:
password_verify($Password, $hash)
Where do your $Password and $hash values come from?
$Password = $_POST["Password"];
$hash = password_hash($Password, PASSWORD_BCRYPT);
They both come from the user input. So nowhere are you checking if the entered password matches what's in the database. You're checking if the entered password matches itself. This will always be true.
When checking an entered password, you don't need to hash it. You need to use password_verify to compare it to the stored hash. Something like this:
$row = $result->fetch_assoc();
if (password_verify($Password, $row["Password"])) {
Side note: Be aware that your code is wide open to SQL injection. This is not only a glaring security problem but also a very common source of bugs. There are some great explanations and examples here to help you correct this.

Where to put MD5 function to make it work?

I need to send md5 hashed password to database.
<?php
$username = filter_input(INPUT_POST, 'name');
$password = filter_input(INPUT_POST, 'password');
print_r($_POST['name']);
if (empty($username)){
echo "Username should not be empty"; die();
}
if (empty($password)){
echo "Password should not be empty"; die();
}
$host = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "db_account";
//create connection
$conn = new mysqli($host, $dbusername, $dbpassword, $dbname);
if (mysqli_connect_error()){
die('Connect Error ('. mysqli_connect_error() .') '
. mysqli_connect_error());
} else{
$sql = "INSERT INTO t_account (name, pwd)
values ('{$username}','MD5({$password})')";
if ($conn->query($sql)){
echo "Account was created successfully!";
}
else{
echo "Error: ". $sql."<br>". $conn->error;
}
$conn->close();
}
?>
When I fill register form with password for example 123456 it sends it to database like this (MD5)123456 but not as a hashed code.
Also after successfull registration it only shows text after #echo, is possible to redirect user to another page?
Try to use the PHP md5() function:
$password = md5(filter_input(INPUT_POST, 'password'));
Also your statement:
$sql = "INSERT INTO t_account (name, pwd)
values ('{$username}','{$password}')";
I strongly suggest you use prepared statements. Not hard to learn and time well invested.

password_verify returns false. cant find error [duplicate]

This question already has answers here:
Using PHP 5.5's password_hash and password_verify function
(4 answers)
Closed 3 years ago.
I have been trying to figure out this problem for about 2 months and can't seem to figure it out. I have a database that returns the hashed password. I can confirm this works due to printing out all the information. It can return the non-hashed and hashed password perfectly fine but when it checks the password it will always return false.
I am not sure what to do. It could be something really easy but I seem to not be able to find it.
<?php
session_start();
$dbip = "localhost";
$dbuser = "root";
$dbpass = "";
$dbname = "projectNitro";
$conn = new mysqli($dbip, $dbuser, $dbpass, $dbname);
if($conn->connect_error) {
echo("Connection failed: " . $conn->connect_error);
}
$password = mysqli_real_escape_string($conn, $_GET["pass"]);
$email = mysqli_real_escape_string($conn, $_GET["email"]);
$sql = "SELECT * FROM users WHERE email='{$email}' LIMIT 1";
$query = mysqli_query($conn, $sql);
$pass = $_GET["pass"];
if($query == TRUE) {
$row = mysqli_fetch_array($query);
$db_password = $row['password'];
$db_usertype = $row['accountType'];
$username = $row['username'];
echo $password;
echo "<br>";
echo $db_password;
echo "<br>";
$verify = password_verify($pass, $db_password);
if($verify) {
$_SESSION['username'] = $username;
$_SESSION['at'] = $db_usertype;
header("Location: http://website.com");
} else {
echo("DB Email: "
.$row["email"]
."<br>Username: "
.$row["username"]
."<br>DB Password: "
.$row["password"]
."<br>AccountType: "
.$row["accountType"]
."<br>Inserted Email: "
.$_GET["email"]
."<br>Inserted Password: "
.$_GET["pass"]."<br>");
if(password_verify($_GET["pass"], $row["password"])) {
echo("epic<br>");
} else {
echo("not epic<br>");
}
}
} else {
header("Location: http://website.com");
}
$conn->close();
?>
You need to do baby steps. keep stepping up as long as it works.
Here is a simpler version of your code that should work with the password sample from the official doc: http://php.net/manual/en/function.password-verify.php
Also use die(); to debug your code in every {} block.
In your current code you redirect to a website in both cases it's really hard to track what is wrong if you are redirected!
You have useless and unclear variables, for instance $dbpass, $db_password is very ambiguous, even if you and I understand it makes it not maintainable. As well as your coding style, you need to indent!
The next step you need to check if this code works, is replace the hard coded password with a hard coded password you have with hard coded hash as well.
<?php
session_start();
$dbip = "localhost";
$dbuser = "root";
$dbpass = "";
$dbname = "projectNitro";
$conn = new mysqli($dbip, $dbuser, $dbpass, $dbname);
if ($conn->connect_error){
echo("Connection failed: " . $conn->connect_error) . '<br><br>';
}
$password = 'rasmuslerdorf';//mysqli_real_escape_string($conn, $_GET["pass"]);
// $email = mysqli_real_escape_string($conn, $_GET["email"]);
// $sql = "SELECT * FROM users WHERE email='{$email}' LIMIT 1";
// $query = mysqli_query($conn, $sql);
// $pass = $_GET["pass"];
// if ($query == TRUE) {
// $row = mysqli_fetch_array($query);
$db_password = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
// $username = $row['username'];
echo $password;
echo "<br>";
echo $db_password;
echo "<br>";
if (password_verify($password, $db_password)) {
die('ok');
} else {
die('not ok');
}
// } else {
// header("Location: http://website.com");
// }
$conn->close();
?>
Here I modified slightly and added a few comments along the code to help you understand the approach.
<?php
session_start();
// This array is used only like a simple namespace.
$dbCredentials = [
'host' => "localhost",
'user' => "root",
'password' => "",
'dbname' => "projectNitro"
];
$dbConn = new mysqli($dbCredentials['host'], $dbCredentials['user'], $dbCredentials['password'], $dbCredentials['dbname']);
if ($dbConn->connect_error) {
// Should not continue script if can't connect to DB.
die("Connection failed: " . $dbConn->dbConnect_error);
}
// You should check the existence of $_GET["pass"] before using it, with empty() or isset().
$passwordToCheck = mysqli_real_escape_string($dbConn, $_GET["pass"]);// Renamed var more meaningful.
$userEmail = mysqli_real_escape_string($dbConn, $_GET["email"]);
$sql = "SELECT * FROM users WHERE email='{$userEmail}' LIMIT 1";// Don't select * if you don't need everything.
$query = mysqli_query($dbConn, $sql);
$pass = $_GET["pass"];// you already have $passwordToCheck.
if ($query) {// Don't need == TRUE
// $row = mysqli_fetch_array($query);
$db_password = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
$username = $row['username'];
echo "$passwordToCheck<br>$db_password<br>";// This is way less verbose than repeating echo and uses less echo functions.
if (password_verify($passwordToCheck, $db_password)) {// Don't need to keep this condition in a variable.
die('ok');// this is just an example to test.
} else {
die('not ok');// this is just an example to test.
}
} else {
header("Location: http://website.com");// While debugging don't redirect, put die('message');
}
$dbConn->close();
?>

PHP SQL Why does this give me an error without details

Hi I'm trying to insert data in my database. But I keep on getting the same error for example:
Error: INSERT INTO users (username, password) VALUES ('fff', '$2y$10$YUd1AErIj4RGRnjkFkYlkOn.s9OV62sq8.HVGO2jeE8dSthpgp6ey');
without any details which is very frustrating. I'm new to PHP and SQL so it's not the best written code ever and I know I should use prepared statements.
<?php
require_once '../connection/connection.php';
/**
* Created by PhpStorm.
* User: ezrab
* Date: 3/14/2018
* Time: 5:40 PM
*/
$username = $_POST['username'];
$password = $_POST['password'];
//var_dump($hashed_password);
if (isset($_POST['submit'])) {
if (!empty($username) || !empty($password)) {
if (preg_match('/^[A-Za-z]?[A-Za-z ]*$/', $username) || preg_match('/^[A-Za-z]?[A-Za-z ]*$/', $password)) {
$hashPwd = password_hash($password, PASSWORD_DEFAULT);
$sql = "INSERT INTO users (username, password) VALUES ('$username', '$hashPwd');";
if ($conn->query($sql) === TRUE) {
echo "Worked!";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
} else {
echo "You can't use certain characters.";
}
} else {
echo "You have to fill in all fields.";
}
} else {
echo "THOU SHALL NOT PASS!";
}
$conn->close();
EDIT: Added my connection.php file for more information.
<?php
$servername = "-----";
$username = "-----";
$password = "------";
$dbname = "------";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$conn->close();
EDIT:
Take
$conn->close();
out of connection.php and problem should be solved
You were opening and then immediately closing the connection before a query could be made

"Can't use function return value in write context" when using mysqli_num_rows()

I've been working on adding users to my database and I tried to do something to check if login is already occupied. If it's not, PHP should add the user to database, else give alert that login is already used. Here's my code:
<?php
$servername = 'localhost';
$username = 'wiktor';
$password = 'wiktor';
$database = 'something';
$login = $_POST['login'];
$passwd = $_POST['pass'];
$name = $_POST['name'];
$surname = $_POST['sur'];
$conn = new mysqli($servername, $username, $password, $database);
if ($conn->connect_error) {
die("Error " . $conn->connect_error);
} else {
echo "Connect success <br>";
}
$check = "select login from users where login = '$login'";
$test = $conn->query($check);
if(mysqli_num_rows($test) = 0){
$sql = "insert into users
values (null,'$login','$passwd','$name','$surname')";
if ($conn->query($sql) === TRUE) {
echo "Success";
} else {
echo "Error " . $sql . "<br>" . $conn->error;
}
} else {
echo "The login is already in use!";
}
$conn->close();
?>
I'm getting "Can't use function return value in write context" on line
if(mysqli_num_rows($test) = 0)
which checks if there are any records with that login.
I used something similar before and it worked perfectly so what could be the problem now?
Write this
if(mysqli_num_rows($test) == 0)
Instead of,
if(mysqli_num_rows($test) = 0)

Categories