-
Why password_verify Function Not Passing the Verification in PHP Application?
over 7 years ago
-
about 7 years ago
Hi,
It seems the issue was the "passwords" column size was too small (50 chars). Switching it to 255 should have made a difference but it did not in my test last night due to me not repopulating the column. Others in another forum suggested I repopulate and I read their suggestion just now and it is working after I repopulated it. Just sharing this knowledge on all forums I opened threads on this issue so it benefits other newbies too. I know this is nothing "learnable" for pros.
http://www.webdeveloper.com/forum/showthread.php?366069-Why-password_verify-Not-Passing-The-Verification&p=1516863#post1516863
And so, this code is no longer getting the password_verify to false when I type the correct password.
Code:
[code]
<?php
/*
ERROR HANDLING
*/
declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
include 'config.php';
// check if user is already logged in
if (is_logged() === true)
{
//Redirect user to homepage page after 5 seconds.
header("refresh:2;url=home.php");
exit; //
}
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
if (isset($_POST["login_username_or_email"]) && isset($_POST["login_password"]))
{
$username_or_email = trim($_POST["login_username_or_email"]); //
$password = $_POST["login_password"];
//Select Username or Email to check against Mysql DB if they are already registered or not.
$stmt = mysqli_stmt_init($conn);
if(strpos("$username_or_email", "@") === true)
{
$email = $username_or_email;
$username = "";
$query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE emails = ?";
// i = integer; s = string; d = double; b = blob.
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, 's', $email);
mysqli_stmt_execute($stmt);
//$result = mysqli_stmt_get_result($stmt); //Use either this line (if you need to get all data of the array without associating them to variables like you do with mysqli_stmt_bind_result), or ...
//Note from line below that the variables "$db_username", "$db_account_activation_status" are related to the tbl columns selected on $query ("SELECT ids, usernames, accounts_activations_statuses From users .. WHERE).
$result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // ... this line. But not both.
}
else
{
$username = $username_or_email;
$email = "";
$query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE usernames = ?";
// i = integer; s = string; d = double; b = blob.
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, 's', $username);
mysqli_stmt_execute($stmt);
//$result = mysqli_stmt_get_result($stmt); //Use either this line (if you need to get all data of the array without associating them to variables like you do with mysqli_stmt_bind_result), or ...
//Note from line below that the variables "$db_email", "$db_account_activation_status" are related to the tbl columns selected on $query ("SELECT ids, emails, accounts_activations_statuses From users .. WHERE).
$result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // ... this line. But not both.#
}
//$rownums = mysqli_num_rows($result); // To get number of row matches
//echo "$rownums";
//Which of the following to do and why that one over others ?
$row = mysqli_stmt_fetch($stmt);
//$row = mysqli_fetch_array($query, MYSQLI_ASSOC);
//$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
mysqli_stmt_close($stmt);
printf("%s (%s)\n",$row["usernames"],$row["passwords"]);
if ($result == false)
{
echo "'$result == false' on line 73! IF got triggered on line 73! !<br>";
exit();
}
elseif ($row['accounts_activations_statuses'] == '0')
{
{
echo "You have not activated your account yet! Check your email for instructions on how to activate it.
Check your spam folder if you don't find an email from us.";
exit();
}
}
else
{
echo "'$result == true' on line 73! Else got triggered on line 86! <br>";//This ELSE is getting triggered on the test. That means $result = TRUE;
}
if (password_verify($password, $db_password))
{
echo "IF triggered for password_verify! password_verify ok";
//If 'Remember Me' check box is checked then set the cookie.
//if(!empty($_POST["login_remember"])) // Either use this line ....
if (isset($_POST['login_remember']) && $_post['login_remember'] == "on") // ...or this line. But not both!
{
setcookie("login_username", $username, time()+ (10*365*24*60*60));
}
else
{
//If Cookie is available then use it to auto log user into his/her account!
if (isset($_COOKIE['login_username']))
{
setcookie("login_username","","");
}
}
$_SESSION["user"] = $username;
header("location:home.php?user=$username");
}
else
{
echo "Else got triggered on line 111: Incorrect User Credentials ! 'password_verify = FALSE';<br>";
exit();
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title><?php $site_name?> Member Login Page</title>
<meta charset="utf-8">
</head>
<body>
<div class = "container">
<form method="post" action="">
<center><h3><?php $site_name ?> Member Login Form</h3></center>
<div class="text-danger">
<div class="form-group">
<center><label>Username/Email:</label>
<input type="text" placeholder="Enter Username" name="login_username_or_email" value="<?php if(isset($_COOKIE["login_username_or_email"])) echo $_COOKIE["login_username_or_email"]; ?>"</center>
</div>
<div class="form-group">
<center><label>Password:</label>
<input type="password" placeholder="Enter password" name="login_password" value="<?php if(isset($_COOKIE["login_password"])) echo $_COOKIE["login_password"]; ?>"></center>
</div>
<div class="form-group">
<center><label>Remember Login Details:</label>
<input type="checkbox" name="login_remember" /></center>
</div>
<div class="form-group">
<center><input type="submit" name="login_submit" value="Login" class="button button-success" /></center>
</div>
<div class="form-group">
<center><font color="red" size="3"><b>Forgot your password ?</b><br><a href="login_password_reset.php">Reset it here!</a></font></center>
<center><font color="red" size="3"><b>Not registered ?</b><br><a href="register.php">Register here!</a></font></center>
</form>
</div>
</body>
</html>
[/code]
I am making a few changes on the above post's mentioned code because I was told in that forum (which I mentioned in my previous post):
1. Checking if $result is true/false is meaningless, as it will always be true if my code is bug-free, and likely always false if not.
2. Similarly, mysqli_stmt_fetch() will return true if it found a result row, otherwise false.
I, instead need to check the value bound to $db_password to see if it's correct. So it might be something like:
[code]
if($row && password_verify($password, $db_password)) {
// good to go...
}
[/code]
I have been advised 6 nights ago there on that forum to trim down my code to this:
[code]
if ($_SERVER['REQUEST_METHOD'] == "POST") // not really needed since you're checking $_POST
{
if (isset($_POST["login_username"]) && isset($_POST["login_password"])) {
$username = trim($_POST["login_username"]); //
$password = trim($_POST["login_password"]); //
$hashed_password = password_hash($_POST["login_password"], PASSWORD_DEFAULT);
$sql = "
SELECT
ids,
usernames,
passwords,
emails,
accounts_activations_statuses
FROM users
WHERE usernames = ?
AND passwords = ?
";
$stmt = mysqli_prepare($conn, $sql);
mysqli_stmt_bind_param($stmt, 'ss', $username, $hashed_password);
mysqli_stmt_execute($stmt);
if (mysqli_stmt_num_rows($stmt)) {
// found a match, we're good to go...
} else {
// whatever you do when user/password not found...
}
}
}
[/code]
This forum Mod also managed to figure it that I got the column size wrong:
https://www.webmastersun.com/threads/18216-why-password_verify-function-not-logging-me-in -
1 Answer(s)