PHP password_verify() not working with database

2020-02-11 11:42发布

I'm in the process of making a login and registration system. The system works so now I have to add in security for hashing password for database storage. However, when I retrieve the hashed password from the database and comparing it to the one the user entered as the password input it doesn't work.

    <?php
session_start(); //start the session for user profile page

define('DB_HOST','localhost'); 
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password

$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());

$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 

/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn(mysqli $con){
    $user = mysqli_real_escape_string($con,$_POST['user']); //user input field from html
    $pass = mysqli_real_escape_string($con,$_POST['pass']); //pass input field from html
    //$user = $_POST['user'];
    //$pass = $_POST['pass'];
    if(isset($_POST['user'])){ //checking the 'user' name which is from Sign-in.html, is it empty or have some text
        $query = mysqli_query($con,"SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysqli_connect_error());
        $row = mysqli_fetch_array($query); //or die(mysqli_error($con));
        $username = $row['userName'];
        $pw = $row['pass'];//hashed password in database
        //check username and password hash
        echo $pw; //THIS PRINTS OUT NOTHING!!!
        if($user==$username && password_verify($pass, $pw)) {
            // $user and $pass are from POST
            // $username and $pw are from the rows

            //$_SESSION['userName'] = $row['pass'];
            echo "Successfully logged in.";
        }

        else { 
            echo "Invalid."; 
        }
    }
    else{
        echo "INVALID LOGIN";
    }
}

if(isset($_POST['submit'])){
    SignIn($con);
}
?>

So the above code will echo "Invalid" when I attempt to compare the text password entered and the hashed one in the database. The echo $pw prints out nothing for some unknown reason.

Here is the Registration php script:

<?php
        //Connection Config
        define('DB_HOST','localhost'); 
        define('DB_NAME','test'); //name of database
        define('DB_USER','root'); //mysql user
        define('DB_PASSWORD',''); //mysql password
        $con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());
        $db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 
        //Registration
        function Register($con){
            if(isset($_POST['user']) && isset($_POST['pass'])){
                $username = $_POST['user'];
                $email = $_POST['email'];
                $password = $_POST['pass'];

                //Hashing of password
                $hpassword = password_hash($password, PASSWORD_DEFAULT);
                $query = mysqli_query($con,"INSERT INTO UserName (UserNameID,userName, pass, email) VALUES ('2','$username','$hpassword','$email') ") or die(mysqli_connect_error());

                if($query){
                    //Query successful
                    echo "User has been created successfully";
                }else{
                    echo "Error1";
                }
            }else{
                echo "Error2";
            }
        }

        if(isset($_POST['submit'])){
            Register($con);
        }
    ?>

I've made sure the column is varchar(255) and long enough. Does anyone know why the verification fails? Thanks!

Note: After password hashing I'm planning to add SQL injection defenses.

1条回答
兄弟一词,经得起流年.
2楼-- · 2020-02-11 12:25

You're inserting a hashed password, that's good. But then on login you're comparing the one on the POST string with the hashed version in the database. Logically, they will not be the same. You should change :

SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'"

into

SELECT * FROM UserName where userName = '$_POST[user]'

And indeed you should add protection against SQL injection everywhere. Preferably use prepared statements, on every select, insert, update, delete, etc. and on every single value you're using in those statements.

查看更多
登录 后发表回答