Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

mysql - PHP password_verify() not working with database

I'm in the process of making a login and registration system. The system works so now I have to add in security for hashing password for database storage. However, when I retrieve the hashed password from the database and comparing it to the one the user entered as the password input it doesn't work.

    <?php
session_start(); //start the session for user profile page

define('DB_HOST','localhost'); 
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password

$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());

$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 

/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn(mysqli $con){
    $user = mysqli_real_escape_string($con,$_POST['user']); //user input field from html
    $pass = mysqli_real_escape_string($con,$_POST['pass']); //pass input field from html
    //$user = $_POST['user'];
    //$pass = $_POST['pass'];
    if(isset($_POST['user'])){ //checking the 'user' name which is from Sign-in.html, is it empty or have some text
        $query = mysqli_query($con,"SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysqli_connect_error());
        $row = mysqli_fetch_array($query); //or die(mysqli_error($con));
        $username = $row['userName'];
        $pw = $row['pass'];//hashed password in database
        //check username and password hash
        echo $pw; //THIS PRINTS OUT NOTHING!!!
        if($user==$username && password_verify($pass, $pw)) {
            // $user and $pass are from POST
            // $username and $pw are from the rows

            //$_SESSION['userName'] = $row['pass'];
            echo "Successfully logged in.";
        }

        else { 
            echo "Invalid."; 
        }
    }
    else{
        echo "INVALID LOGIN";
    }
}

if(isset($_POST['submit'])){
    SignIn($con);
}
?>

So the above code will echo "Invalid" when I attempt to compare the text password entered and the hashed one in the database. The echo $pw prints out nothing for some unknown reason.

Here is the Registration php script:

<?php
        //Connection Config
        define('DB_HOST','localhost'); 
        define('DB_NAME','test'); //name of database
        define('DB_USER','root'); //mysql user
        define('DB_PASSWORD',''); //mysql password
        $con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());
        $db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 
        //Registration
        function Register($con){
            if(isset($_POST['user']) && isset($_POST['pass'])){
                $username = $_POST['user'];
                $email = $_POST['email'];
                $password = $_POST['pass'];

                //Hashing of password
                $hpassword = password_hash($password, PASSWORD_DEFAULT);
                $query = mysqli_query($con,"INSERT INTO UserName (UserNameID,userName, pass, email) VALUES ('2','$username','$hpassword','$email') ") or die(mysqli_connect_error());

                if($query){
                    //Query successful
                    echo "User has been created successfully";
                }else{
                    echo "Error1";
                }
            }else{
                echo "Error2";
            }
        }

        if(isset($_POST['submit'])){
            Register($con);
        }
    ?>

I've made sure the column is varchar(255) and long enough. Does anyone know why the verification fails? Thanks!

Note: After password hashing I'm planning to add SQL injection defenses.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

You're inserting a hashed password, that's good. But then on login you're comparing the one on the POST string with the hashed version in the database. Logically, they will not be the same. You should change :

SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'"

into

SELECT * FROM UserName where userName = '$_POST[user]'

And indeed you should add protection against SQL injection everywhere. Preferably use prepared statements, on every select, insert, update, delete, etc. and on every single value you're using in those statements.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...