0

I'm making a simple Login system using a hashed password and session, the hashed password is being set in another page. How can I make the code recognize the hash which is set in another page?

<?php
    session_start();
    $servername = "localhost";
    $dbusername = "root";
    $dbpassword = "";
    $dbname = "usersystem";

    $conn = new mysqli($servername, $dbusername, $dbpassword, $dbname);

    $Username = $_POST["Username"];
    $Password = $_POST["Password"];

    $_SESSION['user'] = "";
    $hash = password_hash($Password, PASSWORD_BCRYPT);

    $sql = "SELECT * FROM users WHERE Username = '$Username'";
    $result = $conn->query($sql);

        if ($result->num_rows > 0) {
            if (password_verify($Password, $hash)) {
                $_SESSION['user'] = $_POST["Username"];
                echo($_SESSION['user']);
            }
            else {
                echo("Incorrect Username");
            }
        }
        else {
            echo("Incorrect Password");
        }
    $conn->close();
?>

The register page where the data is inserted into the database:

<?php
    $servername = "localhost";
    $dbusername = "root";
    $dbpassword = "";
    $dbname = "usersystem";

    $conn = new mysqli($servername, $dbusername, $dbpassword, $dbname); 

    $Username = $_POST["usrnm"];
    $Password = $_POST["psw"];

    $hash = password_hash($Password, PASSWORD_BCRYPT);

    $sql = "INSERT INTO users (Username, Password) VALUES ('$Username', '$hash')";

    if ($conn->query($sql) === TRUE) {
        echo "New record created successfully";
    } else {
        echo "Error: " . $sql . "<br>" . $conn->error;
    }



    $conn->close();
?>
Suraj Rao
  • 29,388
  • 11
  • 94
  • 103

1 Answers1

1

Consider what you're doing here:

password_verify($Password, $hash)

Where do your $Password and $hash values come from?

$Password = $_POST["Password"];
$hash = password_hash($Password, PASSWORD_BCRYPT);

They both come from the user input. So nowhere are you checking if the entered password matches what's in the database. You're checking if the entered password matches itself. This will always be true.

When checking an entered password, you don't need to hash it. You need to use password_verify to compare it to the stored hash. Something like this:

$row = $result->fetch_assoc();
if (password_verify($Password, $row["Password"])) {

Side note: Be aware that your code is wide open to SQL injection. This is not only a glaring security problem but also a very common source of bugs. There are some great explanations and examples here to help you correct this.

David
  • 208,112
  • 36
  • 198
  • 279
  • Yes I am aware of the threat to an SQL Injection, but I wanted to teach myself the basics of hashing and Session's first, now I will read about how to protect yourself against such an attack, quick question though, do the placement and usage of the **$_SESSION** make sense? Since i'm kinda new to this stuff I'm not really sure how to use it. But thanks for the answer btw. –  Mar 01 '19 at 16:30