TechQA.

PHP password_verify (BCRYPT) doesn't work, what am I doing wrong?

439 views Asked by At

I'm quite new to PHP password_hash & password_verify.

My password_hash works like a charm. I store the hash in the database 'password'-Field, after successful registration.

But the main-problem seems to be the password_verify.

My Register.php:

<?php
     require('db.php');
     // If form submitted, insert values into the database.
     if (isset($_REQUEST['username'])){
     $username = stripslashes($_REQUEST['username']); // removes backslashes
     $username = mysqli_real_escape_string($con,$username); //escapes special characters in a string
     $email = stripslashes($_REQUEST['email']);
     $email = mysqli_real_escape_string($con,$email);
     $password = stripslashes($_REQUEST['password']);
     $password = mysqli_real_escape_string($con,$password);
     $hashedpw = password_hash($password, PASSWORD_BCRYPT, ['cost' => 11]);
     $ipaddress = $_SERVER['REMOTE_ADDR'];

     $reg_date = date("Y-m-d H:i:s");
     $query = "INSERT into `user` (username, password, email, reg_date, ip) VALUES ('$username', '$hashedpw', '$email', '$reg_date', '$ipaddress')";
     $result = mysqli_query($con,$query);
     if($result){
     header("Location: regsuccess.php");
     }
     }else{
     ?>

My Login.php:

      <?php
     require('db.php');
     function redirect($DoDie = true) {
        header('Location: success.php');
        if ($DoDie)
        die();
     }
     session_start();
     if(isset($_SESSION['username'])) {
        redirect();
    }
        // If form submitted, insert values into the database.
        if (isset($_POST['username'])){
            $username = stripslashes($_REQUEST['username']); // removes backslashes
            $username = mysqli_real_escape_string($con,$username); //escapes special characters in a string
            $password = stripslashes($_REQUEST['password']);
            $password = mysqli_real_escape_string($con,$password);
            $hash_query = "SELECT password FROM `user` WHERE username='$username'";
            $hash_result = mysqli_query($con,$hash_query) or die(mysql_error());
            $ipaddress = $_SERVER['REMOTE_ADDR'];

            //Checking is user existing in the database or not
            $query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";
            $result = mysqli_query($con,$query) or die(mysql_error());
            $rows = mysqli_num_rows($result);
            if($rows==1){
                if (password_verify($password, $hash_result)) {
                    $_SESSION['username'] = $username;
                    $trn_date = date("Y-m-d H:i:s");
                    $query = "UPDATE `user` SET `ip` = '$ipaddress', `last_login` = '$trn_date' WHERE `username` = '$username'";
                    $result = mysqli_query($con,$query) or die(mysql_error());
                    $rows = mysqli_num_rows($result);
                    header("Location: success.php"); // Redirect user to index.php
                }
                else {
                    header("Location: error.php");
                }
            }
            else {
                header("Location: error.php");
            }
        }
        else {

     ?>

So, the problem is that the password_verify doesn't really work here. I enter my password, and it redirects me to the error.php where it says that my username or password is incorrect.

What am I doing wrong? :/ Thanks in advice!

php hash passwords php-password-hash
Original Q&A
0

There are 0 answers

Related Questions in PHP

Related Questions in HASH

Related Questions in PASSWORDS

Related Questions in PHP-PASSWORD-HASH

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions