0

I am trying to use password hashing using phpmysql. The issue is password_verify does not seem to work for me so far. Say, my password during registration is '123456789'. I stored it in database using

    password_hash('123456789', PASSWORD_BCRYPT, array('cost' => 12));

And then when I enter '123456789' in the login field, it does nothing, fails.

Here is my code: 

<?php
        session_start();
        include('db.php');        
?>

<!DOCTYPE html>

<head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta name="viewport" content="width=device-width,initial-scale=1" />
    <link rel="stylesheet" type="text/css" href="style.css"/>

</head>

<body>

<p/>

<?php

    if(isset($_POST['login']) && $_POST['login'] == 'Login') {

        $loginEmail = $_POST['loginEmail'];
        $loginPassword = $_POST['loginPassword'];

        $sqlLogin = $db->prepare("SELECT * FROM registered_users WHERE email = ?");

        $sqlLogin->bind_param("s",$loginEmail);
        $sqlLogin->execute();
        $sqlLogin = $sqlLogin->get_result();
        $numrowsLogin = $sqlLogin->num_rows;

        if($numrowsLogin == 1) {
            $rowLogin = $sqlLogin->fetch_assoc(); 
            $stored_password = $rowLogin['password'];

        }
        if(password_verify($loginPassword, $stored_password)){


           header('Location: homepage.php'); 
        }else{
            echo 'invalid login';
        }      

    }         
?>


    <form action = "<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
        <table style="width:500px">                        
            <tr>
                <td width="30%"><input style="width: 200px; height: 25px; border-radius: 5px;" type="text" name="loginEmail" placeholder = "Email" required/><br/></td>
            </tr>                    
            <tr>
                <td width="30%"><input style="width: 200px; height: 25px; border-radius: 5px;" type="password"  name="loginPassword" placeholder = "Password" required/><br/></td>
            </tr>
        </table>

        <input style="font-weight: bold; width: 70px; height: 25px; border-radius: 5px;" type="submit" name="login" value="Login"/>
    </form>

</body>

</html>
Improve this question
17
  • done any basic debugging, like checking if your query succeeds and returns a stored hash? and note that you're vulnerable to XSS attacks by using $_SERVER['PHP_SELF'] in your form's action. Commented Jul 6, 2016 at 14:12
  • You need to add exit; after any header('location: ...');-call since we want to stop outputting stuff to the browser at this point. Commented Jul 6, 2016 at 14:14
  • yes, sorry for that, updated Commented Jul 6, 2016 at 14:17
  • 1
    example from php.net/manual/en/function.password-hash.php $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a is 60 chars. What's yours and the length of the password column? less than 60? if so, that's the problem. Too short and your code failed silently because of it and you need to start over with a new hash after altering the column's length. @BishwaroopChakraborty Commented Jul 6, 2016 at 14:28
  • 1
    Please read the comments in the answer by @fred. You will never again have this issue. Commented Jul 6, 2016 at 15:28

3 Answers 3

Reset to default
3

@Fred Li : thanks, that worked for me. My password column length in the database was 50. updated it and works now, thankyou once again!! – Bishwaroop Chakraborty"

As discussed in commments:

Example from http://php.net/manual/en/function.password-hash.php

$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a is 60 chars.

Your password column's length is less than 60 and that's the problem.

It's too short and your code failed silently because of it and you need to start over with a new hash after altering the column's length.

  • The manual says that 255 is a good bet.

Notes:

Pay attention to other comments left in regards to XSS injection.

Here are a few good articles:

and to add exit; after header. Otherwise, your code may want to continue to execute.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

imo, just use a varchar field of 255. The cost is one byte extra and this fault would never have happened. imo, never use exact length character / varchar fields in a database.
@RyanVincent Exactly; I wrote a short note about the manual saying it's "a good bet" ;-) Thanks for your comment btw.
Sorry, @fred, I meant it for the OP ;-/ finger trouble
@RyanVincent No worries :-)
0

In the event that new comers are still getting errors with this after verifying sufficient data storage (for example:varchar255)

Be sure to use the unhashed string in the verify-password function.

verify_password($unhashed-string, $hashed-string)

I lost a few hours sleep passing a hashed string into first parameter of the function.

Improve this answer

Comments

0

I am using blowfish algorithm for hashing password. It has run successfully for me, so you can try this.

<?php

$pass = "test678";

$hash = password_hash($pass, PASSWORD_BCRYPT);  //password_hash() function hash given password

$matchpass = "test678";

$match = password_verify($matchpass, $hash); // password_verify() function hash given boolean value if password can match so it return 1 otherwise 0

if ($match == true) {
    echo "Password can match successfully......";
} else {
    echo "Password cannot match please try again.";
}

?>

OUTPUT:

Password can match successfully......

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.