Search code examples
phppassword-hash

Password_verify, PDO

I have a problem with hashing my password (b-crypt). I have accomplished succesfully this function on user registration : $hashed = password_hash($password, PASSWORD_DEFAULT);. But I don't know how to implement this line of code password_verify($password, $hashed_password) to my code.

This is a segment of a class User:

class User{
    private $db;
    public function __construct() {
        $this->db = new Database(); 
    }

public function getLoginUser($email, $password){
        $sql = "SELECT * FROM tbl_user WHERE email = :email AND password = :password LIMIT 1";
        $query = $this->db->pdo->prepare($sql);
        $query->bindValue(':email', $email);
        $query->bindValue(':password', $password);
        $query->execute();
        $result = $query->fetch(PDO::FETCH_OBJ);
        return $result;
    }

    public function userLogin($data){
        $email    = $data['email'];
        $password = $data['password'];
        $chk_email = $this->emailCheck($email);

        if ($email == "" OR $password == "") {
            $msg = "<div class='alert alert-danger'><strong>Error! </strong>Field must not be Empty!</div>";
            return $msg;
        }   

        if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
            $msg = "<div class='alert alert-danger'><strong>Error! </strong>The E-mail address is not valid!</div>";
            return $msg;
        }

        if ($chk_email == false) {
            $msg = "<div class='alert alert-danger'><strong>Error! </strong>The E-mail address Not Exist!</div>";
            return $msg;
        }

        if (password_verify('password', $hashed)) {
            echo 'Password is valid!';
        } else {
            echo 'Invalid password.';
        }

        $result = $this->getLoginUser($email, $password);   

        if ($result) {
            Session::init();
            Session::set("login", true);
            Session::set("id", $result->id);
            Session::set("name", $result->name);
            Session::set("username", $result->username);
            Session::set("loginmsg", "<div class='alert alert-success'><strong>Success! </strong>You are Logged In!</div>");
            header("Location: index.php");
        } else {
            $msg = "<div class='alert alert-danger'><strong>Error! </strong>Data not found!</div>";
            return $msg;
        }
    }

And this is my login.php with the function userLogin($_POST); .

<?php
$user = new User();
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
    $usrLogin = $user->userLogin($_POST);
}

Can someone PLEASE HELP me with this problem? It will be helpfully if you can write that code (segment) for me.

Thank you and

Reegards!

Solution

  • You use password_hash to store the hashed password to database

    $hashed = password_hash($password, PASSWORD_DEFAULT);

    On your login page you need to retrieve the old hashed password from database based on the user's email and check it against the posted password like this

    $password = $_POST['password'];
if (password_verify($password, $hashed_password_from_database)) {
   // login
} else {
   // error login failed
}