Search code examples
phpsqlpdophp-password-hash

password_verify function not working

Hey all i'm having issues with the password_verify function. Register is working but for some odd reason it just says incorrect when i'm trying to use it for login.

Here's my code(don't judge please, i'm still fairly new to everything.

$username = $_POST['username'];
$password = $_POST['password'];
$SQLSelect = $odb -> prepare("SELECT * FROM `users` WHERE `username` = :username");
$SQLSelect -> execute(array(':username' => $_POST['username']));
while ($show = $SQLSelect -> fetch(PDO::FETCH_ASSOC))
{
$passwordHash = $show['password'];
}
$date = strtotime('-1 hour', time());
$attempts=$odb->query("SELECT COUNT(*) FROM `loginlogs` WHERE `ip` = '$ip' AND `username` LIKE '%failed' AND `date` BETWEEN '$date' AND UNIX_TIMESTAMP()")->fetchColumn(0);

//Check fields
if (empty($username) || empty($password) || !ctype_alnum($username) || strlen($username) < 4 || strlen($username) > 15)
{
die(error('Please fill in all fields.'));
}

//Check login details
echo $passwordHash;
$SQLCheckLogin = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `username` = :username AND `password` = :password");
$SQLCheckLogin -> execute(array(':username' => $username, ':password' => password_verify($password, $passwordHash)));
$countLogin = $SQLCheckLogin -> fetchColumn(0);
if (!($countLogin == 1))
{
$SQL = $odb -> prepare("INSERT INTO `loginlogs` VALUES(:username, :ip, UNIX_TIMESTAMP(), 'XX')");
$SQL -> execute(array(':username' => $username." - failed",':ip' => $ip));
die(error('Username or password are invalid.'));

Does anyone have a clue why this isn't working? i double checked everything and it should be fine, also the echo $passwordHash was just me checking if i was able to get the password which worked fine. :/

Solution

  • password_verify($password, $passwordHash) this returns a boolean value. What you should do is to use it to verifies that a password matches a hash. Remove all this:

    $SQLCheckLogin = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `username` = :username AND `password` = :password");
$SQLCheckLogin -> execute(array(':username' => $username, ':password' => password_verify($password, $passwordHash)));
$countLogin = $SQLCheckLogin -> fetchColumn(0);
if (!($countLogin == 1))

    And simply do this:

    if (!password_verify($password, $passwordHash)) {
    // ...
    die(error('Username or password are invalid.'));
}