0

I have the password for the login part, which uses $hash = password_hash($password, PASSWORD_DEFAULT);

The password is stored in the database as a hash, $2y$10$CaQON5WOEHcla58aBoIRKOmyYLBwtDHKFqk81y25.EGvjBqlF0W1W

I query the database on the login page and check that the user email is in the database, which it is.

I have checked in MySQL workbench if the query I used works, and it returns the password fine.

However, when I try to query the database for the password and assign it to a variable, I get an error when echoing that the variable is not a string.

I've tried $verify = password_verify($password, $hash); however, the error I also get is parameter 2 must be a string.

So why is the value not a string after I get it? and how do I retrieve the correct value?

Here is my query:

   $sql_e2 = "SELECT password FROM users WHERE email='$email'";
   $hash = mysqli_query($mysqli, $sql_e2);

Thanks

Improve this question
3
  • 3
    please show the full code where you query the db and assign the password hash to a variable - in the above $hash = mysqli_query($mysqli, $sql_e2); the variable $hash would be a boolean - you need to fetch the results before assigning the variable Commented May 24, 2021 at 16:11
  • 1
    Your code appears to be vulnerable to sql injection through the use of $email directly in the sql cmd - use prepared statements when using user supplied data Commented May 24, 2021 at 16:14
  • 4
    The function mysqli_query() doesn't return the value as you are expecting. It returns a mysqli_result object on success, or false on failure. So, first you must check if it returns false or not, and after that deal with the mysqli_result object (on success), fetching the row (you can use mysqli_fetch_row). Commented May 24, 2021 at 16:59

1 Answer 1

Reset to default
2

I finished putting together what is now working and tested against working & non working accounts.

//query SQL for password
$sql_e2 = $mysqli->prepare("SELECT password FROM users WHERE email = ?");
$sql_e2->bind_param("s", $email);
$sql_e2->execute();
$result = $sql_e2->get_result();

//fetch row from result and assign value
$row = mysqli_fetch_row($result);
$hash = $row[0] ?? false;

// Print the result depending if they match
if (password_verify($password, $hash)) {
    echo 'Password Verified!';
} else {
    echo 'Incorrect Password!';
}

Thanks for the pointers guys.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.