function sanitizeMySQL($conn, $var)
{
$var = $conn->real_escape_string($var);
$var = sanitizeString($var);return $var;
}
function sanitizeString($var)
{
$var = (null !== (get_magic_quotes_gpc()))?stripslashes($var):null;
$var = strip_tags($var);
$var = htmlentities($var);
return $var;
}
This is the code used.
<?php
$email = trim($_POST['login_email']);
$pwd= trim($_POST['login_pwd']);
//sanitize datas
$email = sanitizeMySQL($conn, $email);
$pwd = sanitizeMySQL($conn, $pwd);
$sql1 = mysqli_query($conn, "SELECT * FROM login_tbl WHERE email = '$email' limit 1");
$row1 = mysqli_fetch_array($sql1);
$dbpwd = $row1['password'];
if(crypt($pwd,$dbpwd) == $dbpwd){
//ok
$msg = "Welcome Customer";
}else{
//error
$msg = "Invalid Email / Password.";
}
echo $msg."<br>".$pwd."<br>".crypt($pwd,$dbpwd)."<br>".$dbpwd;
And the result i got was
Invalid Email / Password. $2y$10$C9X8hwHa4uhI5tm9r72tIuqZSButX6C3/zlR8oJs3tW.SQscROvuO $2y$10$C9X8hwHa4uhI5tm9r72tIufRykhvdmSXR/.4CpDg/.7UpJi3ITu6e
The sanitizeMySQL() function calls a function in the function page
this worked finally
<?php
require_once("functions.php");
require_once ("db_connection.php");
$var = "@Me12345";
sanitizeMySQL($conn, $var);
$options = [
'cost' => 10,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
$hash = password_hash($var, PASSWORD_BCRYPT, $options);
echo $var ." ". $hash;
var_dump(password_verify($var, $hash));
?>