MySqli Login System - Having Troubles With Verifying Hashed Password

Question

I have been trying to figure out this problem for days now. For some reason, whenever I try to use this, The password goes thru as wrong. Im thinking that this might be a database issue, but I have displayed the hash password from the database. I hope I can resolve this.(I know I can simplify some of this, but I like to have everything laid out so I can visualize it.)

login.php

    session_start();

    $output = NULL;

    function sanitize($conn, $val){
        $val = stripslashes($val);
        $val = mysqli_real_escape_string($conn, $val);
    }

    //Checks if user is already logged in
    if(!isset($_SESSION['loggedin'])){

    ?>

        <form method="POST">

            Email: <input type=TEXT name="email"><br>

            Password: <input type=PASSWORD name="password"><br>

            <input type="SUBMIT" name="submit" value="Log In"><br>

        </form>

    <?php

    }else{

    echo "You are already loged in!";

    }

    //Check Form
    if(isset($_POST['submit'])){

        //Connect to DB
        include "core/database/dbConnect.php";

        //Takes information out of feilds
        $email = $_POST['email'];
        $password = $_POST['password'];

        //sanitize input
        sanitize($conn, $email);
        sanitize($conn, $password);

        //Check if form is filled out
        if(empty($email) || empty($password)){
            $output = "Please enter all fields!";

        }else{

            $query = "SELECT * FROM users WHERE email ='$email'";
            $result = mysqli_query($conn, $query);
            $count = mysqli_num_rows($result);


            $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
            $hash = $row['password'];

            $passwordsMatch = password_verify($password, $hash);

            if($count == 0 or $passwordsMatch == false){
                $output = "Invalid email/password";

            }else{

                //User logged in sucessfully, inserting session data
                $_SESSION['loggedin'] = TRUE;
                $_SESSION['email'] = $email;
                $_SESSION['id'] = $row['id'];
                $_SESSION['username'] = $row['username'];

                header('Location: index.php');
                exit();
            }
        }
    }


    echo $output;

    ?>

register.php

        <div class="pageContent">

    <form method="POST">

    Username:
    <input type="TEXT" name="username"><br>

    Password:
    <input type="PASSWORD" name="password"><br>

    Repeat Password:
    <input type="PASSWORD" name="rpassword"><br>

    Email Address:
    <input type="TEXT" name="email"><br>

    <input type="SUBMIT" name="submit" value="Register"><br>

    </form>

    <?php

    session_start();

    //Takes information out of feilds
    $username = $_POST['username'];
    $password = $_POST['password'];
    $rpassword = $_POST['rpassword'];
    $email = $_POST['email'];

    $output = NULL;

    function sanitize($conn, $val){
        $val = stripslashes($val);
        $val = mysqli_real_escape_string($conn, $val);
    }

    //Runs all code if Register is clicked
    if(isset($_POST['submit'])){

        //Connect to DB
        include "core/database/dbConnect.php";

        //Sanitizes input
        sanitize($conn, $username);
        sanitize($conn, $password);
        sanitize($conn, $rpassword);
        sanitize($conn, $email);

        //Query's the username for duplicates
        $usernameQuery = $conn->query("SELECT * FROM users WHERE username = '$username'");

        //Query's the email for duplicates
        $emailQuery = $conn->query("SELECT * FROM users WHERE email = '$email'");

        //Checks if all feilds are filled
        if(empty($username) OR empty($password) OR empty($rpassword) OR empty($email)){
            $output = "Please fill in all fields!";

        //Checks if username is already taken
        }elseif($usernameQuery->num_rows != 0){
            $output = "That username is already taken!";

        //Checks if password and rpassword matches
        }elseif($rpassword != $password){
            $output = "Your passwords don't match!";

        //Checks if username has more than 5 characters
        }elseif(strlen($username) < 4){
            $output = "Your username must be at least 4 characters!";

        //Checks if password has more than 5 characters
        }elseif(strlen($password) < 7){
            $output = "Your password must be at least 7 characters!";

        //Checks if email is already in use
        }elseif($emailQuery->num_rows != 0){
            $output = "The email is already in use! Do you already have an account?";

        //Checks if email is a valid email
        }elseif(filter_var($email, FILTER_VALIDATE_EMAIL) == FALSE){
            $output = "The email you have entered is not valid!";
        }else{

            //Hashing password
            $password = password_hash('$password', PASSWORD_BCRYPT, array(
                'cost' => 10
            ));

            //Insert data in DB users
            $insert = $conn->query("INSERT INTO users(username,password,email) VALUES('$username','$password','$email')");

            if($insert == TRUE){
                $output = "You account was created! Please login!";
            }else{
                $output = $error;
            }
        }
    }

    echo $output;
    ?>

dbConnect.php

    <?php

$error = "Sorry, Somthing went wrong!";

$conn = NEW MySQLi('localhost', 'root', '', 'phplogin') or die($error);
?>

DB Setup enter image description here

your code works fine on my end. maybe you just type a wrong password? try remove the hash function and see can login or not — j.Doe, Jul 13 '16 at 00:27
@j.Doe If i remove the hash function and override $passwordsMatch = true, I login with all the correct session data. Thank you for responding! — Hercules_88, Jul 13 '16 at 00:31
try hardcode your password instead of `$password` in `password_verify()` — j.Doe, Jul 13 '16 at 00:38
then maybe you just hashed a wrong password. try creating a new account with new password and try login again — j.Doe, Jul 13 '16 at 00:48
@j.Doe I have tried that many times now, could it be how it is stored in the database? — Hercules_88, Jul 13 '16 at 01:45
@j.Doe I changed the way the hash is stored to a char instead of varchar, It hasn't changed anything. — Hercules_88, Jul 13 '16 at 01:50
i tested your code and its working fine with my database so maybe it really is your database. Can't say anything because i don't have access to your database. — j.Doe, Jul 13 '16 at 02:25
@j.Doe I have a pic of the db users table at the end of my post. Do you have it setup differently? — Hercules_88, Jul 13 '16 at 02:39
did u fix it? after seeing your database, i think you should change your `password` column from `varchar(60) to varchar(255). your hashed password will be really long and its also possible that your error is because of this. after your password is hashed it will be stored in password column and if the hashed password is over 60 char(usually hashed password will be longer if its a long password) only 60 char will be stored. the rest of the hashed char will be lost and cause password_verify unable to verify it. — j.Doe, Jul 13 '16 at 06:16
@j.Doe I have changed the password to VarChar(255) and it hasn't changed anything. Using PASSWORD_BCRYPT makes the hashed password 60 characters long every time, so I have my password stored as char(60) — Hercules_88, Jul 13 '16 at 14:36
im not sure about your problem but you should use PASSWORD_DEFAULT if your going to use your system for longer time instead of PASSWORD_BCRYPT. you can read more on it here. [password_default vs password_bcrypt](http://stackoverflow.com/questions/22393143/password-default-vs-password-bcrypt) — j.Doe, Jul 15 '16 at 23:26

score 0 · Answer 1 · answered Jul 13 '16 at 01:29

0

you don't need to escape or sanitize your password because it's not going to get used in the sql query and it may spoil the password

answered Jul 13 '16 at 01:29

Ahmad ghoneim

844
7
13

score 0 · Answer 2 · answered Jul 13 '16 at 03:28

0

I can't see where you're actually hashing the password, in the login, have you checked to make sure you're not checking a clear text password to one that's hashed?

answered Jul 13 '16 at 03:28

Jimmy

3
4

I don't believe I need to hash the login password.http://php.net/manual/en/function.password-verify.php – Hercules_88 Jul 13 '16 at 14:40
If it is hashed in the database then you will need to hash the password, a good quote I go by is "When in doubt, echo EVERYTHING" So before you check if the passwords match, echo the password that the user sent in the login AND the password in the database to see if they actually do match. – Jimmy Jul 13 '16 at 18:39
When I hash the password a new salt is generated every time, so the passwords will never be the same. Im using password_verify() php.net/manual/en/function.password-verify.php – Hercules_88 Jul 13 '16 at 19:06
@Hercules_88 On your register why don't you just create your own hash method using `$password = md5(SHA1("a87asd98gasd".$password."ASd0asdbasd"))` then in your login to `if(md5(SHA1("a87asd98gasd".$password."ASd0asdbasd")) === $row["password"])`? That way would work and be easier, but as previously said by j.Doe it works on his end, so unless we can tamper with it on your end, it would make it difficult to fix since it works for us. – Jimmy Jul 13 '16 at 20:25

MySqli Login System - Having Troubles With Verifying Hashed Password

2 Answers2