0

Okay so my code is a bit tricky i'm using password_hash and it works fine on my Register.php page but it fails to work when i try to implement into my code so here a fresh code if someone can try or point me in right direction on how this can be done i should of done this while coding it but i never. Code below i wanna implement password_hash and password_verify

if (!($user -> LoggedIn()))
{
if (isset($_POST['logINBoss']))
{
    $username = htmlspecialchars($_POST['username']);
    $password = htmlspecialchars($_POST['password']);
    $errors = array();
    if (!ctype_alnum($username) || strlen($username) < 3 || strlen($username) > 15)
    {
        //$errors[] = 'Username Must Be  Alphanumberic And 4-15 characters in length';
    }

    if (empty($username) || empty($password))
    {
        $errors[] = '<center><div class="sufee-alert alert with-close alert-danger alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button><i class="mdi mdi-check-all"></i>Fill in all fields.</div></center>">';
    }
        $SQL = $odb->prepare("SELECT `status` FROM `users` WHERE `username` = :username");
        $SQL->execute(array(':username' => $username));
        $status = $SQL->fetchColumn(0);
        if($status == 1)
        {
        $SQL = $odb->prepare("SELECT `reason` FROM `bans` WHERE `username` = :username");
        $SQL->execute(array(':username' => $username));
        $ban = $SQL->fetchColumn(0);
        header('location: banned.php');
        }
    if (empty($errors))
    {
        $SQLCheckLogin = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `username` = :username AND `password` = :password");
        $SQLCheckLogin -> execute(array(':username' => $username, ':password' => password_hash($password, PASSWORD_DEFAULT)));
        $countLogin = $SQLCheckLogin -> fetchColumn(0);
        if ($countLogin == 1)
        {
            $SQLGetInfo = $odb -> prepare("SELECT `username`, `ID`, `status` FROM `users` WHERE `username` = :username AND `password` = :password");
            $SQLGetInfo -> execute(array(':username' => $username, ':password' => password_hash($password, PASSWORD_DEFAULT)));
            $userInfo = $SQLGetInfo -> fetch(PDO::FETCH_ASSOC);
        if ($countLogin == 1)
        {
                $logAddr = $odb->prepare("INSERT INTO `login_history` (`username`,`ip`,`date`,`http_agent`) VALUES (:user, :ip, UNIX_TIMESTAMP(NOW()), :agent);");
                $logAddr->execute(array( ":user" => $username, ":ip" => $_SERVER['REMOTE_ADDR'], ":agent" => $_SERVER['HTTP_USER_AGENT']));
                htmlspecialchars($_SESSION['username'] = $userInfo['username']);
                htmlspecialchars($_SESSION['ID'] = $userInfo['ID']);
        echo '<center><div class="sufee-alert alert with-close alert-success alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button><i class="mdi mdi-check-all"></i>Login Successful!</div></center><meta http-equiv="refresh" content="1;url=index.php">';
            }
            else
            {
        echo '<center><div class="sufee-alert alert with-close alert-danger alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button><i class="mdi mdi-check-all"></i>You are Banned!</div></center>';
            }
        }
        else
        {
        echo '<center><div class="sufee-alert alert with-close alert-warning alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button><i class="mdi mdi-check-all"></i>Login Failed!</div></center>';
        }
    }
    else
    {
        echo '<div class="alert alert-danger"><p><strong>ERROR:</strong><br />';
        foreach($errors as $error)
        {
            echo '-'.htmlspecialchars_decode($error).'<br />';
        }
        echo '</div>';
    }
    }

}

Improve this question
4
  • Please try to narrow down your code to a specific implementation issue. It doesn't make much sense to reexplain what's already discussed in previous questions. Commented Mar 7, 2019 at 1:02
  • i tried implementing this under the post variables near the top $hashed_password = password_hash($_POST["password"],PASSWORD_DEFAULT); if(password_verify($_POST["password"],$hashed_password)) but still wont work :/ Commented Mar 7, 2019 at 1:05
  • That doesn't convey very well if you understood the basic usage. (See linked questions again). Otherwise, show the last attempt, cut down the code (neither bans nor login_history are relevant), showcase input, database contents, and var_dump samples in between. Commented Mar 7, 2019 at 1:13
  • remove all of these AND password = :password" select hashed password (from db, lets call it $row['password']) and compare it to the plain text input password, password_verify does the encryption for you. password_verify ( $_POST['password'], $row['password'] ) Commented Mar 7, 2019 at 1:50

1 Answer 1

Reset to default
1

When you get your user from the database, get it searching by username, not by username and password. Once you have the hash retrieved from the database, don't use password_hash because it will give you a different hash! better use password_verify: http://php.net/manual/en/function.password-verify.php

This way you can verify passwords, that is the reason why password_verify exists, because password_hash adds salt to secure the passwords in a better way, and gives a different hash even with the same plaintext.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I'm confused i'm completely new to this and i've done non stop looking up but ain't getting far

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.