Search code examples
phppasswordsverify

When using password_verify, any password suffices, why?

have read all the questions I could find related to this and still can't find a helpful answer (helpful to me that is).

My problem is that I can log in with any password when using password_verify.

login_process.php

include_once("db.php"); 

if(!empty($_POST['login'])) { 
        // Escape variables
        $input_username = mysqli_real_escape_string($connectdb, $_POST['username']);
        $input_password = mysqli_real_escape_string($connectdb, $_POST['password']);

//Query to find username
            $query = "SELECT id, username, password, email FROM usersdt091g WHERE username = '$input_username'";
            $query2 = "SELECT password FROM usersdt091g WHERE username = '$input_username'";
            $res = mysqli_query($connectdb, $query2);
            $dbpass = mysqli_fetch_assoc($res);
            $hash = $dbpass[0]['password'];
            $result = mysqli_query($connectdb, $query);
            $row = mysqli_fetch_assoc($result);

        // Login ok = false, then render it true if conditions met
        $login_ok = false; 

        if(password_verify($input_password, $hash)) 
        { 
                // If they do, then we flip this to true 
                $login_ok = true; 
        } 

        // If login ok
        if($login_ok = true) 
        {
            // Session variables
            $_SESSION['user'] = $row;

            // Redirect user to secret page. 
            header('Location: blahalblal'); 
            exit; 
        } else {
            // Tell the user they failed
            $errors[] = "<p>Login Failed MISERABLY!</p>"; 
        }
    }
?>

Image of Database table

My registration process looks like this. signup.php

<?php 
   include_once("db.php"); 

    if(isset($_POST['signup']))
{
 $username = mysqli_real_escape_string($connectdb, $_POST['username']);
 $email = mysqli_real_escape_string($connectdb, $_POST['email']);
 $password = mysqli_real_escape_string($connectdb, $_POST['password']);
 $hash = password_hash($password, PASSWORD_DEFAULT);

 if(mysqli_query($connectdb, "INSERT INTO usersdt091g (username, email, password) VALUES ('$username','$email','$hash')"))
 { 
     $successs[] = "<p>Great Success, please login!</p>";
 }
}
?>

I could use all and any assistance,

Erik

Solution

  • This will always be true:

    if($login_ok = true)

    Because the result of assigning a boolean value is the boolean value itself. You probably meant to compare the value instead of assign it:

    if($login_ok == true)