2

Does anybody know why it doesnt recognize my password from the database? It connects allright and also recognizes my email but when i try to compare passwords it returns 0. Anybody know why? When i tried to run the sql to return me anything it was also 0 results i dont know if i am doing something wrong?

<?php
    
    require_once "config.php";
    require_once "session.php";
    
    
    $error = '';
    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['submit'])) {
    
        $email = trim($_POST['email']);
        $password = trim($_POST['password']);
    
        // validate if email is empty
        if (empty($email)) {
            $error .= '<p class="error">Please enter email.</p>';
        }
    
        // validate if password is empty
        if (empty($password)) {
            $error .= '<p class="error">Please enter your password.</p>';
        }
    
        if (empty($error)) {
            if($query = $db->prepare("SELECT * FROM users WHERE email = ?")) {
                $query->bind_param('s', $email);
                $query->execute();
                $row = $query->fetch();
                
                if ($row) {
                    if (password_verify($password, $row["password"])) {
                        $_SESSION["userid"] = $row['id'];
                        $_SESSION["user"] = $row;
    
                        // Redirect the user to welcome page
                        header("location: welcome.php");
                        exit;
                    } else {
                        $error .= '<p class="error">The password is not valid.</p>';
                    }
                } else {
                    $error .= '<p class="error">No User exist with that email address.</p>';
                }
            }
            $query->close();
        }
        // Close connection
        mysqli_close($db);
    }
    ?>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Zan Hrastnik
  • 53
  • 4
  • 5
    +2 for using prepared statements and password_verify! The question remains: how big is the size of the password column, and how do you hash the password? – Qirel Apr 13 '21 at 12:17
  • 1
    Also, are you trimming passwords before you upload them as well? Probably easier to just not trim them at all. This probably isn't causing your issue though. – GrumpyCrouton Apr 13 '21 at 12:18
  • 2
    There doesn't look to be anything wrong with your code here. Can you post your account creation code as the issue may be there? – Styphon Apr 13 '21 at 12:22
  • 1
    What does return zero? – Dharman Apr 13 '21 at 12:22
  • 3
    Kind of what @GrumpyCrouton is saying but if you are using `password_verify` do not touch the password itself. Meaning don't use `trim`, `htmlspecialchars`, `mysqli_*` ... basically don't touch it. Passwords should use [password_hash](https://www.php.net/manual/en/function.password-hash.php) to go in and `password_verify` to verify. That's it – hppycoder Apr 13 '21 at 12:26
  • @Qirel It is for a school project i am fairly new to php so im not hashing my passwords, except if somehow phpmyadmin does it by itself but im sure it doesnt. My password column is varchar(50) – Zan Hrastnik Apr 13 '21 at 15:05
  • @Styphon I write the users manually in the database since I do not need to do a registration form. – Zan Hrastnik Apr 13 '21 at 15:07
  • 1
    @ZanHrastnik But you use `password_verify()`, so you must use `password_hash()` when inserting it. See https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords -- you're doing well so far with prepared statement and using `password_verify()`, but that only works with `password_hash()` – Qirel Apr 13 '21 at 15:11
  • @Qirel thanks for explaining it didnt write in some manual i found online that this function needs hashed password. Thank you – Zan Hrastnik Apr 13 '21 at 15:25
  • @Qirel Now i understand but still the $row["password"] returns nothing back, shouldnt it return the thing in column password in the row that is the email in? – Zan Hrastnik Apr 13 '21 at 15:58
  • @Dharman $row["password"] returns as nothin – Zan Hrastnik Apr 13 '21 at 17:32
  • But $row is not an array. I think you mixed up PDO and MySQLi – Dharman Apr 13 '21 at 17:35
  • Was just about to say - if you're using MySQLi, you need `bind_result()`. https://www.php.net/manual/en/mysqli-stmt.bind-result.php – Qirel Apr 13 '21 at 17:36
  • You should be getting an error though. Access to index offset on non-array – Dharman Apr 13 '21 at 17:37

0 Answers0