Search code examples
phpdatabasemysqlipassword-encryptionphp-password-hash

Where to place password_verify() in php when logging in and have the registeration.php in an exernal file

I am trying to create a login.php script which uses password_verify() encryption. None of the topics were clear and the problem is that in every example it looks like this

    $password = '123';
    $hashed = '$2y$10$Lz6eWEzHqhNhiPkNYX/LAOfP.1zuyYJSc4u66TvF1bce9WrSbnSJK';

    $ver_pass = password_verify($password, $hashed){..}

Now for me the thing is that i am trying to retrieve the hashed password from a database and not from an internal hardcoded string. My sample code:

login.php

     $password = mysqli_real_escape_string($database, $password);
     //Check username and password from database
     $query = 
     "SELECT id FROM `register` 
                WHERE `username` = '$username' 
                AND `hashed_p` = '$password'";

       $result = mysqli_query($database,$query);
       $row    = mysqli_fetch_array($result,MYSQLI_ASSOC);
      //If username and password exist in our database then create a session.

            $verified_password = password_verify($password, $hashed_password);

      if(mysqli_num_rows($result) && $verified_password){
        echo start session succesfully
      }else{ echo error}
     }

register.php

$password = mysqli_real_escape_string($database, $password);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);

$query  = "SELECT email FROM register WHERE email='$email'";
$result = mysqli_query($database, $query);
$row    = mysqli_fetch_array($result, MYSQLI_ASSOC);

 $query = mysqli_query($database,
 "INSERT INTO `register` (`hashed_p`) VALUES ('".$hashed_password."')";
 if ($query) {....}

By the way. The registration process is successful and the password_hash() works fine in the register.php file. But in the login.php file I don't know how to retrieve the hashed password from the database and use it to verify it.

Solution

  • You need to Select id & password without checking for password. Then you check if the pwdHash from db ($row['hashed_p']) matches the one the user gave via password_verify:

    $password = // the password in it's raw form how the user typed it. like $_POST['password'];
//Check username (without password) from database
$query = 
"SELECT id, hashed_p FROM `register` 
                    WHERE `username` = '$username'";

$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$verified_password = password_verify($password, $row['hashed_p']);

if(mysqli_num_rows($result) && $verified_password){
    echo 'start session succesfully';
} else { 
    echo 'error';
}

    BUT please change to a prepared statements (because your version is very unsecure. could easily be hacked. Just seach for 'Bobby Tables'.):

    $stmt = mysqli_prepare($database, $query);
mysqli_stmt_bind_param ($stmt, 's', $username);
$success = mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);