Can't login using password_verify

Question

I'm trying to make a register/login system. The hashed passwords are saved into database successfully but when i try to login it says "Invalid login" which means it doesn't verify the password. Help me with this, it's my first time using password hash and verify

Signup.php

<?php
include('AdminPanel/connect.php');

$name = $_POST['txt_name'];
$email = $_POST['txt_email'];
$password = password_hash($_POST['txt_pass'], PASSWORD_DEFAULT);
$radioVal = $_POST['Gender'];


if($radioVal == "Male")
{
    $radioVal = "Male";
}
else if ($radioVal == "Female")
{
    $radioVal = "Female";
}


$queryget = mysqli_query($con,"SELECT Email FROM signup WHERE Email='$email'") or die ("Query didnt work");
    $row = mysqli_fetch_array($queryget);


    $emaildb = $row['Email'];
    if($emaildb!=$email){
        echo"success";
        $insert = mysqli_query($con,"insert into signup (Name,Email,Password,Gender) values ('$name','$email','$password','$radioVal')");
    }else{
echo"Email already exists";
}

?>

Login.php

<?php

include('AdminPanel/connect.php');

session_start();

$email = $_POST['txt_email'];
$password = $_POST['txt_pass'];
$info = mysqli_query($con,"select count(*) from signup where Email = '$email' and Password = '$password'");

$row = mysqli_fetch_array($info);
if (($row[0] > 0) && password_verify($password, $row['Password']))
{

    $_SESSION['txt_email']=$email;
    echo "success";

}
else
{
    echo "Invalid login<br>Please re-enter your credentials";
}

?>

`select count(*)` wont select the password. Also good that you're hashing but you need to parameterize those queries. — user3783243, Jul 26 '18 at 16:18
Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Jul 26 '18 at 16:18

Alex Howansky · Accepted Answer · 2018-07-26T16:20:02.300

2

You're selecting count(*):

$info = mysqli_query(
    $con, "select count(*) from signup where Email = '$email' and Password = '$password'"
);

But then referencing a field:

$row['Password']

You need to select (at least) the field, but leave out the condition on password because the password you get won't match what's in the database:

$info = mysqli_query(
    $con, "select * from signup where Email = '$email'"
);

Also, don't do that, because SQL injection.

edited Jul 26 '18 at 16:20

answered Jul 26 '18 at 16:18

Alex Howansky

50,515
8
78
98

1

Heh yep, just noticed that, fixed. – Alex Howansky Jul 26 '18 at 16:20

Can't login using password_verify

1 Answers1