im doing a tutorial about how to make a php mysql login form. now the tutorial is actualy made to good and i wold like to alter it a bit and change the login password to store cleartext instead of the hash. the hash line looks like this:
$new_password = password_hash($upass, PASSWORD_DEFAULT);
i made:
$new_password = $upass;
out of it. and it now saves the cleartext to the database but the login doesn't work.
the login part looks like this and i don't see the part where i expect the hashed-password to be converted and matched...
public function doLogin($uname,$upass)
{
try
{
$stmt = $this->conn->prepare("SELECT user_id, user_name, user_pass FROM users WHERE user_name=:uname");
$stmt->execute(array(':uname'=>$uname));
$userRow=$stmt->fetch(PDO::FETCH_ASSOC);
if($stmt->rowCount() == 1)
{
if(password_verify($upass, $userRow['user_pass']))
{
$_SESSION['user_session'] = $userRow['user_id'];
return true;
}
else
{
return false;
}
}
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
The line:
if(password_verify($upass, $userRow['user_pass']))
Checks the hash of the password against the given password. As you've removed the hashing function it's comparing an un-hashed password against a clear text password.
Change it to:
if($upass == $userRow['user_pass'])
That should fix it.
Although you really should not be storing clear text passwords.