Search code examples
phpformsmysqlisubmitpassword-hash

PHP login not working. Using password_verify and it seems to be causing some problems

I am not sure why it won't work.

Login.php

$email = $_POST['email];
$password = $_POST['password];

$validEmail = filter_var($email, FILTER_VALIDATE_EMAIL);

$getpassword = $connect->query("SELECT password FROM users WHERE email = '$validEmail'");
$row = $getpassword->fetch_assoc();

All of the above works fine. I get the password which the email is connected to, so that I can "verify" the password.

$passVarify = password_varify($password, $row['password']);

When I try to "echo" out or use "var_dump" / "print_r" on "$passVerify", it just shows the number "1"? After I have verified the password, I run another query, so that I can get the "userid" and "privileges". I needed to "unhash" or turn the password "normal" again, so that I could make the query below.

$result = $objConnection->query("SELECT userid, privileges FROM users WHERE email = '$validEmail' && password = '$passVarify'");

The code below doesn't seem to pick up the query? It just doesn't work for some reason.

if($result->num_rows > 0) {

    $row = $result->fetch_assoc();

    $userid = $_SESSION['userid'] = $row['userid'];
    $privileges = $_SESSION['privileges'] = $row['privileges'];

}

Any good ideas? Cause I've been scratching the back of my head trying to figure out why the first "query" works and the second doesn't?!

Solution

  • You are making life difficult for yourself.

    First the result of a password_verify() is TRUE or FALSE i.e. verified or not verified. It does not UNHASH the password. Nothing should be able to unhash a hash.

    Also you dont need to do 2 seperate calls to get data from your database.

    You also dont need to copy the email address from the POST array into a scalar variable.

    So this would be a simpler flow for your code

    Also you do not really need to filter your users entered password. If it is not right, the verify_password() will fail and that is all you need to know.

    $result = $connect->query("SELECT userid, privilages, password
                           FROM users 
                           WHERE email = '{$_POST['email']}'");

$user = $result->fetch_assoc();

if ( ! password_verify($_POST['password'], $user['password']) ) {
    // show the password error screen
    exit;
} else {
    // save all the SELECTED user info into a sub array of SESSION
    // to be used later
    $_SESSION['user'] = $user;
}

    You should really be using parameterised queries instead of injecting POST variables into a query.

    $stmt= $connect->query("SELECT userid, privilages, password
                           FROM users 
                           WHERE email = ?");

$stmt->bind_param("s", $_POST['email']);
$stmt->execute();

$result = $stmt->get_result();
$user = $result->fetch_array(MYSQLI_ASSOC);