1

I'm in the process of making a login and registration system. The system works so now I have to add in security for hashing password for database storage. However, when I retrieve the hashed password from the database and comparing it to the one the user entered as the password input it doesn't work.

    <?php
session_start(); //start the session for user profile page

define('DB_HOST','localhost'); 
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password

$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());

$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 

/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn(mysqli $con){
    $user = mysqli_real_escape_string($con,$_POST['user']); //user input field from html
    $pass = mysqli_real_escape_string($con,$_POST['pass']); //pass input field from html
    //$user = $_POST['user'];
    //$pass = $_POST['pass'];
    if(isset($_POST['user'])){ //checking the 'user' name which is from Sign-in.html, is it empty or have some text
        $query = mysqli_query($con,"SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysqli_connect_error());
        $row = mysqli_fetch_array($query); //or die(mysqli_error($con));
        $username = $row['userName'];
        $pw = $row['pass'];//hashed password in database
        //check username and password hash
        echo $pw; //THIS PRINTS OUT NOTHING!!!
        if($user==$username && password_verify($pass, $pw)) {
            // $user and $pass are from POST
            // $username and $pw are from the rows

            //$_SESSION['userName'] = $row['pass'];
            echo "Successfully logged in.";
        }

        else { 
            echo "Invalid."; 
        }
    }
    else{
        echo "INVALID LOGIN";
    }
}

if(isset($_POST['submit'])){
    SignIn($con);
}
?>

So the above code will echo "Invalid" when I attempt to compare the text password entered and the hashed one in the database. The echo $pw prints out nothing for some unknown reason.

Here is the Registration php script:

<?php
        //Connection Config
        define('DB_HOST','localhost'); 
        define('DB_NAME','test'); //name of database
        define('DB_USER','root'); //mysql user
        define('DB_PASSWORD',''); //mysql password
        $con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());
        $db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 
        //Registration
        function Register($con){
            if(isset($_POST['user']) && isset($_POST['pass'])){
                $username = $_POST['user'];
                $email = $_POST['email'];
                $password = $_POST['pass'];

                //Hashing of password
                $hpassword = password_hash($password, PASSWORD_DEFAULT);
                $query = mysqli_query($con,"INSERT INTO UserName (UserNameID,userName, pass, email) VALUES ('2','$username','$hpassword','$email') ") or die(mysqli_connect_error());

                if($query){
                    //Query successful
                    echo "User has been created successfully";
                }else{
                    echo "Error1";
                }
            }else{
                echo "Error2";
            }
        }

        if(isset($_POST['submit'])){
            Register($con);
        }
    ?>

I've made sure the column is varchar(255) and long enough. Does anyone know why the verification fails? Thanks!

Note: After password hashing I'm planning to add SQL injection defenses.

Improve this question
5
  • You can't SELECT WHERE with the password, because you don't know what the stored password hash is at that stage.... just SELECT WHERE with the username, then compare the retrieved password with the entered password using password_verify() Commented Feb 25, 2015 at 21:18
  • Did you check the table to see if anything was stored in the database? Commented Feb 25, 2015 at 21:18
  • SQL injection here I come! Commented Feb 25, 2015 at 21:19
  • And if you're using MySQLi, use bind variables rather than injecting the username into your SQL, even if you have escaped it Commented Feb 25, 2015 at 21:19
  • Thanks guys! I found the problem. It was in the MySQL query. Commented Feb 25, 2015 at 21:43

1 Answer 1

Reset to default
1

You're inserting a hashed password, that's good. But then on login you're comparing the one on the POST string with the hashed version in the database. Logically, they will not be the same. You should change :

SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'"

into

SELECT * FROM UserName where userName = '$_POST[user]'

And indeed you should add protection against SQL injection everywhere. Preferably use prepared statements, on every select, insert, update, delete, etc. and on every single value you're using in those statements.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I'd go a little further and suggest something like the code example in phpdelusions.net/mysqli/password_hash, which uses password_verify to compare the password retrieved for the user.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.