How to login without hash the password in SQL?

Question

good afternoon! I am working in a security project on my own. I am having problems with my checking login code in PHP. I do not know why, but when I try to log in with a user that I have created "the password in database it is in plain text", it says that the password it is incorrect.

THE IDEA IS NOT TO convert the password into a hash. I know that this is a big security risk but obviously that I WILL NOT use it for professional use. My purpose it is for do security tests.

check.php:

        <?php
    include 'conn.php'; 

    $conn = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
    // Check connection
    if (!$conn) {
        die("Connection failed: " . mysqli_connect_error());
    }

    $name = $_POST['name']; 
    $password = $_POST['password'];

    $result = mysqli_query($conn, "SELECT Name, Password FROM users WHERE Name = '$name'");

    $row = mysqli_fetch_assoc($result);

    if (password_verify($_POST['password'], $row['Password'])) {    

        $_SESSION['loggedin'] = true;
        $_SESSION['name'] = $row['Name'];
        $_SESSION['start'] = time();
        $_SESSION['expire'] = $_SESSION['start'] + (1 * 60) ;                       

        echo "<div class='alert alert-success' role='alert'><strong>Welcome!</strong> $row[Name]            
        <p><a href='edit-profile.php'>Edit Profile</a></p>  
        <p><a href='logout.php'>Logout</a></p></div>";  

    } else {
        echo "<div class='alert alert-danger' role='alert'>Name or Password are incorrects!
        <p><a href='login.html'><strong>Please try again!</strong></a></p></div>";          
    }   
?>

EDIT I have corrected the mistakes but i still having problems logging, appears a menssage: "Name or Password are incorrects!". In my database i have 4 columns without having hashed the information. ID, Name, Email, Password

`password_verify()` cannot handle plain text password storage. It's designed for the exact opposite task. — Álvaro González, Jan 01 '19 at 19:42
If you want to compare plain strings use `===` or `strcmp`, not `pw_verify`. The rationale for doing this is entirely bogus, btw. As is the lack of parameter binding. — mario, Jan 01 '19 at 19:43
I remember closing an exact same question earlier and you did *not* follow the steps in all the duplicates "to the letter". — Funk Forty Niner, Jan 01 '19 at 21:13
**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. — tadman, Jan 01 '19 at 22:40
Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. — tadman, Jan 01 '19 at 22:41
**WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. — tadman, Jan 01 '19 at 22:41
Before checking for your if condition, debug your result returned from your database and compare if this were the values set in your POST. — Joshua, Jan 01 '19 at 23:51

score 4 · Answer 1 · answered Jan 01 '19 at 19:44

4

If the password in the database is stored in plain text, then the problem is that password_verify() - as explained in the manual - expects the second argument to it to be (and I quote):

A hash created by password_hash().

The function will try to hash the $_POST variable in the same way as it assumes the $row variable is hashed, and then compares the hashed $_POST variable to the $row variable. Clearly this will never cause a valid match, because the $row variable is not a valid hash.

This function is not making a simple direct comparison of the given strings. If you want to do that, just write if ($_POST['password'] === $row['Password']) instead, no need for an extra function!

answered Jan 01 '19 at 19:44

ADyson

57,178
14
51
63

Hi @ADyson, thanks for help but the code it still not working "appears a menssage saying "Name or Password are incorrects!", perhaps i have to change something else... If you are so kind, can you check the code if everything it is okay? I have uploaded the code here: http://sandbox.onlinephpfunctions.com/code/9f39cf26878f3774f8cac0724f2a1057d26a0355 . – Jan 01 '19 at 20:36
@DaZ The code looks like it ought to work. It could be as simple as not using correct data values, or not sending the data via POST. I don't know what data you're submitting or what is in your database. What debugging have you done? Use some [var_dump()](http://php.net/manual/en/function.var-dump.php) statements to output the values of your variables onto the screen so you can check they contain what you're expecting. – ADyson Jan 01 '19 at 21:08
@DaZ Also please don't change the question with half-fixed code - now the answers here don't make so much sense. Put the question back the way it was, or at least include the original code as well as your edited version. Thanks. – ADyson Jan 01 '19 at 21:09
Ok let me a moment to change the question – Jan 01 '19 at 21:10

score 1 · Answer 2 · answered Jan 01 '19 at 20:59

You've shown us the code which reads the password (or fails to). But you've shown us the code which populates the password nor advised if you checked the data was what you expected.

While I understand that you don't want to go down the password hashing route yet, you really should learn a little about web application security. You will be able to login by supplying the username as

 any' OR '1'='1

Have a google for SQL injection.

There is no error checking/handling in your code. Each call to MySQLi should have an error handler associated with it.

You might start to solve your problem by writing the generated SQL back to the browser and running it via the mysql command line client or PHPMyAdmin to check that it is returning any data. You should also check in your code that zero or one record is returned by the query (and handle each case accordingly).

If you're not learning to debug, you're not learning to program.

    $_SESSION['loggedin'] = true;
    $_SESSION['name'] = $row['Name'];
    $_SESSION['start'] = time();
    $_SESSION['expire'] = $_SESSION['start'] + (1 * 60) ;

Only the "name" variable should be set as a session variable.

score 0 · Answer 3 · answered Jan 01 '19 at 19:50

0

In your case you can't use password_verify() cause it's only used for hashed password (by password_hash ())

You must check password like

if ($password == $row['password'])

answered Jan 01 '19 at 19:50

balzacLeGeek

805
5
7

Hi @balzacLeGeek, thanks for help but the code it still not working "appears a menssage saying "Name or Password are incorrects!", perhaps i have to change something else... If you are so kind, can you check the code if everything it is okay? I have uploaded the code here: http://sandbox.onlinephpfunctions.com/code/9f39cf26878f3774f8cac0724f2a1057d26a0355 – Jan 01 '19 at 20:51

How to login without hash the password in SQL?

3 Answers3