I'm in the process of implementing password_verify as part of a login page.
I've started with plaintext to test everything works, which it did, and then have gone through to hash passwords on registration page with password_hash and then add password_verify on the login page.
Passwords are being successfully hashed, which I've checked through PHPMyAdmin, but I can't get my code to work on the registration page to check them.
Below is the code on the login page relating to pulling the row and testing it:
if (empty($error))//if the array is empty , it means no error found
{
$query_check_credentials = "SELECT * FROM members WHERE (Email='$Email') AND Activation IS NULL";
$result_check_credentials = mysqli_query($dbc, $query_check_credentials);
if(!$result_check_credentials){//If the QUery Failed
echo 'Query Failed ';
}
if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull
{ // A match was made.
$row = mysqli_fetch_row($query_check_credentials);
$password = $row[3];
$verify = password_verify($_POST['Password', $password]);
if ($verify) {
$_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
header("Location: page.php");
}
}else
{
$msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
}
Column number 4 is the password in the DB and so in the array, password should be value 3 in the array.
I've spent time looking at examples of it being used but having no luck, any help appreciated!
Full PHP code
<?php
include ('database_connection.php');
if (isset($_POST['formsubmitted'])) {
// Initialize a session:
session_start();
$error = array();//this aaray will store all error messages
if (empty($_POST['e-mail'])) {//if the email supplied is empty
$error[] = 'You forgot to enter your Email ';
} else {
if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {
$Email = $_POST['e-mail'];
} else {
$error[] = 'Your EMail Address is invalid ';
}
}
if (empty($_POST['Password'])) {
$error[] = 'Please Enter Your Password ';
} else {
$Password = $_POST['Password'];
}
if (empty($error))//if the array is empty , it means no error found
{
$query_check_credentials = "SELECT * FROM members WHERE (Email='$Email') AND Activation IS NULL";
$result_check_credentials = mysqli_query($dbc, $query_check_credentials);
if(!$result_check_credentials){//If the QUery Failed
echo 'Query Failed ';
}
if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull
{ // A match was made.
$row = mysqli_fetch_row($query_check_credentials);
$password = $row[3];
$verify = password_verify($_POST['Password', $password]);
if ($verify) {
$_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
header("Location: page.php");
}
}else
{
$msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
}
} else {
echo '<div class="errormsgbox"> <ol>';
foreach ($error as $key => $values) {
echo ' <li>'.$values.'</li>';
}
echo '</ol></div>';
}
if(isset($msg_error)){
echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);
} // End of the main Submit conditional.
?>
I assume when you say "Row number 4 is the password in the DB" you are in fact referring to a column rather than a row? Why also can you not refer to the actual fieldname in the results rather than a column index? That said, my guess is that the POSTed data has been urlencoded and possibly contains spurious blank spaces so I suggest trimming and url decoding POSTed data prior to the verification test. Try echoing the values to see what data you are actually getting.
<?php
include ('database_connection.php');
if (isset($_POST['formsubmitted'])) {
session_start();
$error = array();
if (empty($_POST['e-mail'])) {
$error[] = 'You forgot to enter your Email ';
} else {
if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {
$Email = $_POST['e-mail'];
} else {
$error[] = 'Your EMail Address is invalid ';
}
}
if (empty($_POST['Password'])) {
$error[] = 'Please Enter Your Password ';
} else {
$Password = $_POST['Password'];
}
if ( empty( $error ) ){
$query_check_credentials = "SELECT * FROM `members` WHERE `Email`='$Email' AND `Activation` IS NULL";
$result_check_credentials = mysqli_query( $dbc, $query_check_credentials );
if( !$result_check_credentials ){
echo 'Query Failed ';
}
if (@mysqli_num_rows($result_check_credentials) == 1){
$row = mysqli_fetch_row( $query_check_credentials );
/* is $row[3] definitely fetching the correct value from the db? */
$password = trim( $row[3] );
/* What does password_verify actually do? I guess it's a simple test using === ? */
$verify = password_verify( trim( urldecode( $_POST['Password'] ) ), $password );
/*
$verify = trim( urldecode( $_POST['Password'] ) ) === $password ? true : false;
*/
echo 'Do they match?<br />' . trim( urldecode( $_POST['Password'] ) ) . '<br />' . $password;
if ( $verify ) {
/* ? perhaps a session variable name here ? $_SESSION['dbresults'] */
$_SESSION = mysqli_fetch_array( $result_check_credentials, MYSQLI_ASSOC );
header("Location: page.php");
}
}else {
$msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
}
} else {
echo '<div class="errormsgbox"> <ol>';
foreach ($error as $key => $values) {
echo '<li>'.$values.'</li>';
}
echo '</ol></div>';
}
if(isset($msg_error)){
echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);
} // End of the main Submit conditional.
?>
I don't use mySQLi so not sure of the little tips and tricks but the following might be of use. Obviously this does not include all of your original code but you should see some records returned if you create a page with this and run it...
$link = mysqli_connect("localhost", "username", "password", "database");
if ( mysqli_connect_errno() ) {
printf("Connect failed: %s
", mysqli_connect_error());
exit();
}
$query = "SELECT * FROM `members` WHERE `Email`='$Email' AND `Activation` IS NULL";
if ($result = mysqli_query($link, $query)) {
while ($row = $result->fetch_assoc()) {
echo $row['password'].' '.trim( urldecode( $_POST['password'] ) ).'<br />';
if( $row['password']===trim( urldecode( $_POST['password'] ) ) ){
echo "--Match!--";
}
}
}
mysqli_close( $link );