I'm in the process of making a login and registration system. The system works so now I have to add in security for hashing password for database storage. However, when I retrieve the hashed password from the database and comparing it to the one the user entered as the password input it doesn't work.
<?php
session_start(); //start the session for user profile page
define('DB_HOST','localhost');
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password
$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());
$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error());
/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn(mysqli $con){
$user = mysqli_real_escape_string($con,$_POST['user']); //user input field from html
$pass = mysqli_real_escape_string($con,$_POST['pass']); //pass input field from html
//$user = $_POST['user'];
//$pass = $_POST['pass'];
if(isset($_POST['user'])){ //checking the 'user' name which is from Sign-in.html, is it empty or have some text
$query = mysqli_query($con,"SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysqli_connect_error());
$row = mysqli_fetch_array($query); //or die(mysqli_error($con));
$username = $row['userName'];
$pw = $row['pass'];//hashed password in database
//check username and password hash
echo $pw; //THIS PRINTS OUT NOTHING!!!
if($user==$username && password_verify($pass, $pw)) {
// $user and $pass are from POST
// $username and $pw are from the rows
//$_SESSION['userName'] = $row['pass'];
echo "Successfully logged in.";
}
else {
echo "Invalid.";
}
}
else{
echo "INVALID LOGIN";
}
}
if(isset($_POST['submit'])){
SignIn($con);
}
?>
So the above code will echo "Invalid" when I attempt to compare the text password entered and the hashed one in the database. The echo $pw prints out nothing for some unknown reason.
Here is the Registration php script:
<?php
//Connection Config
define('DB_HOST','localhost');
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password
$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());
$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error());
//Registration
function Register($con){
if(isset($_POST['user']) && isset($_POST['pass'])){
$username = $_POST['user'];
$email = $_POST['email'];
$password = $_POST['pass'];
//Hashing of password
$hpassword = password_hash($password, PASSWORD_DEFAULT);
$query = mysqli_query($con,"INSERT INTO UserName (UserNameID,userName, pass, email) VALUES ('2','$username','$hpassword','$email') ") or die(mysqli_connect_error());
if($query){
//Query successful
echo "User has been created successfully";
}else{
echo "Error1";
}
}else{
echo "Error2";
}
}
if(isset($_POST['submit'])){
Register($con);
}
?>
I've made sure the column is varchar(255) and long enough. Does anyone know why the verification fails? Thanks!
Note: After password hashing I'm planning to add SQL injection defenses.
You're inserting a hashed password, that's good. But then on login you're comparing the one on the POST string with the hashed version in the database. Logically, they will not be the same. You should change :
into
And indeed you should add protection against SQL injection everywhere. Preferably use prepared statements, on every select, insert, update, delete, etc. and on every single value you're using in those statements.