0

I encrypt my password when sign up and I want to create login page which checks password. I hash password which is written by user in login page and check if it is equal with password in database?

But when I hash true password in login page, it is not equal with in database. SQL injection or other security problems are not important in this situation. I search too much but I cannot solve this problem. Can anyone help me please.

login.php

 <?php
  include_once "connection.php";
  if (isset($_POST['submit'])) { // <- Code will run only when the submit button is clicked

      if($_POST['username'] && $_POST['password']) {
        $username  =  $_POST['username'];
        $pa = $_POST['password'];
        $password = password_hash($_POST['password'], PASSWORD_DEFAULT); // Encrypt the password)

        $pas = "SELECT pass FROM studenttable WHERE nickname='$username'";


         $result = mysqli_query($con, $pas) or die("Error: ".mysqli_error($con));  // assign the return value of mysqli_query to $res
           echo "mysqli_query successed <br>";
           if($result === FALSE) {
                die(mysql_error()); // TODO: better error handling
            }else{
                if(mysqli_num_rows($result) != 0){

                  while ($row = $result->fetch_assoc()) {
                      $pass = $row['pass'];
                      echo "pass is = $pass <br>";
                  }

                   echo "pass: $pass ----------------- password: $password <br>";
                   if(password_verify($pa , $pass)){
                     echo "login successfully";
                   echo "password: $pa ................. pass: $pass <br>";
                    }
                    else {
                      echo "pa: $pa ------------ pass: $pass<br>";
                      echo "wrong password";
                      //header('Location: logindif.html');
                    }
                }
          }
      }}
?>

Output:

mysqli_query successed pass is = $2y$10$PN4l74qTmVJ2j0BOJ5TWAulEX5p3nbkUM9Z9dc pass: $2y$10$PN4l74qTmVJ2j0BOJ5TWAulEX5p3nbkUM9Z9dc ----------------- password: $2y$10$kgx0EmAFSIOXGMyIsUgOZO8MyRoc4rLzo0PQXOe5lLeAxLO7e3FM. pa: 123456 ------------ pass: $2y$10$PN4l74qTmVJ2j0BOJ5TWAulEX5p3nbkUM9Z9dc wrong password

signup.php

<?php
if (isset($_POST['submit'])) { // <- Code will run only when the submit button is clicked

    // Here the database is included. No need for mysqli_select_db
    $conn = new mysqli('localhost', 'root', '123456', 'inputdatabase');

    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }

    session_start();
    $_SESSION['user'] = 'username';
    $username = $_POST['username'];
    $password = password_hash($_POST['password'], PASSWORD_DEFAULT); // Encrypt the password)

    // Its always good to prepare your sql statements.
    $prep = $conn->prepare("INSERT INTO studenttable (nickname, pass) VALUES (?,?)");

    $stmt = $conn->prepare("SELECT nickname FROM studenttable WHERE nickname=?");
    $stmt->bind_param("s", $username);

     $sameuser= mysqli_real_escape_string($conn, $_POST['username']);
    if (!empty($username))  {
        $result=mysqli_query($con,$stmt);
        $mostrar = $result->num_rows;
         if($mostrar==0){

            $prep->bind_param("ss", $username, $password);

            $send = $prep->execute();

            if ($send === TRUE) {
                echo "New record created successfully";    //<-- You won't get to see this because of the next line.
                header('Location: index.php');
                exit();
            } else {
                echo "Error: " . $conn->error;
                header('Location: signupsqlerror.html');
                exit();
            }
         }else {
            header('Location: signupdif.html');
            exit();
        }
    }
   $prep->close();
    $conn->close();
}
?>
Improve this question
11
  • 3
    Do not hash the password on login.... use password_verify with the plaintext value entered on the form and the hashed value retrieved from the database Commented Nov 21, 2017 at 11:51
  • $password = password_hash($_POST['password'], PASSWORD_DEFAULT); whats the point of that line in login? Commented Nov 21, 2017 at 11:52
  • This code might be easier to follow if you didn't have variables called $pa, $pas, $pass, and $password. Commented Nov 21, 2017 at 11:53
  • because I spend a lot of effort $pa, $pas, $pass are there. Sorry for that. I delete $password_hash in login. But password_verify is still false. Should I use salt when I encrypt my password in signup? Commented Nov 21, 2017 at 11:58
  • 1
    I changed db pass varchar size with 60 and I saw login successfullypassword. THANK YOU SO MUCH. Commented Nov 21, 2017 at 12:12

1 Answer 1

Reset to default
1

Your database password column is not long enough, and it's truncating the values. From the manual:

Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

You need a column that's at least 60 characters long, and ideally 255 for future-proofing.

Unfotunately, inserting a 60 character string into a 45 character column won't raise any errors, it'll just chop off the last part of the hash.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.