Login authentication with bcrypt

Question

I have a web app thats built with Laravel. I'm working on another site but not with Laravel. I need to authenticate users on this new site with the users table on the Laravel site database. The passwords are hashed with bcrypt.

I tried to verify the passwords before the users can login but I seem to be missing something out . Could anyone please assist?

<?php 

if (isset($_POST['login'])) {
    $user  = mysqli_real_escape_string($_POST['email']);
    $pass  = mysqli_real_escape_string($_POST['password']); //input entered
    $dpass = password_hash('$pass', PASSWORD_DEFAULT)."\n";
    echo $dpass;
    
    $query   = mysqli_query($conn, "SELECT * FROM users WHERE `email` = '$user' AND `password` ='$pass'");
    $numrows = mysqli_num_rows($query);

    if ($numrows != 0) {
        while ($row = mysqli_fetch_assoc($query)) {
            $dbemail    = $row['email'];
            $dbpassword = $row['password'];
        }
        if ($user === $dbemail && password_verify($pass, $dbpassword)) {
            session_start();
            $_SESSION['email'] = $username;
            // Redirect Browser
            header("Location:mentor.php");
        }
    } else {
        echo "<div class='alert alert-danger alert-dismissible'>
            <a href='#' class='close' data-dismiss='alert' aria-label='close'>&times;</a>
            <strong>Warning!</strong> Invalid credentials.
        </div>";
    }
}

?>

`$user === $dbemail` is useless (You're already checking this condition in your query) + `password ='$pass'` is also useless in the query, **you should remove this condition from the query** - You need to find the row based on the email field **alone** and then check if the hashed password in the DB row match the the password entered by the user — Alon Eitan, Sep 05 '20 at 14:27
**Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Sep 05 '20 at 17:08
@AlonEitan I noticed each time I submit the same passcode, the hash is different. As a result, it doesn't match whats already stored in the db. something is wrong somewhere but can't figure it out yet. — Chima, Sep 06 '20 at 00:21
@Jahswey Don't worry about that - It supposed to be different each time, and the fact that it change each time makes it impossible to reverse it to the actual password :) But as long as you compare the hash against the password itself then each of the created hashes will match — Alon Eitan, Sep 06 '20 at 04:36

score 1 · Accepted Answer · answered Sep 06 '20 at 22:36

After advises from the comments above, I arrived at this that worked.

 <?php 
                        if(isset($_POST['login'])){
                         $user = mysqli_real_escape_string($conn,$_POST['email']);
                         $pass = mysqli_real_escape_string($conn,$_POST['password']); //input entered

                         $query = mysqli_query($conn, "SELECT * FROM users WHERE `email` = '$user'");
                         $numrows = mysqli_num_rows($query);
                         if($numrows !=0)
                         {
                         while($row = mysqli_fetch_assoc($query))
                         {
                         $dbemail=$row['email'];
                         $dbpassword=$row['password'];
                         }
                         if(password_verify($pass, $dbpassword))
                        {
                         session_start();
                         $_SESSION['email'] = $username;
                         //Redirect Browser
                         
                         }
                         }
                         else
                         {
                        echo "<div class='alert alert-danger alert-dismissible'>
                          <a href='#' class='close' data-dismiss='alert' aria-label='close'>&times;</a>
                          <strong>Warning!</strong> Invalid credentials.
                        </div>";
                         }
                        }?>

score -1 · Answer 2 · answered Sep 05 '20 at 14:29

-1

Not sure, but have you tried

password_verify(mysqli_real_escape_string($_POST['password']), $dbpassword)

I mean compare the password non bcrypted with the hash. In laravel

Hash::check()

also expects the non hashed password as parameter.

answered Sep 05 '20 at 14:29

Flo Espen

450
4
10

Login authentication with bcrypt

2 Answers2