This question already has an answer here:
public function login($email, $password){
$stmt = $this->pdo->prepare("SELECT 'user_id' FROM 'users' WHERE 'email'=:email AND 'password' = :password");
$stmt->bindParam(":email", $email, PDO::PARAM_STR);
$stmt->bindParam(":password", md5($password), PDO::PARAM_STR);
$stmt->execute();
$user = $stmt->fetch(PDO::FETCH_OBJ);
$count = $stmt->rowCount();
if($count >0){
$_SESSION['user_id'] = $user->user_id;
header('Location: home.php');
}else{
return false;
}
}
by using md5 in password I am getting an error : Only variables should be passed by reference in D:\xammp\htdocs\twitter\core\classes\user.php on line 18
and on removing md5, I am getting error for invalid password though I am entering the correct password as in database.
</div>
As mentioned in the comment from @Philipp, md5 is not encryption and not for use with passwords - but to do what you are trying you need to set the return of md5 as a variable instead.
So change
$stmt->bindParam(":password", md5($password), PDO::PARAM_STR);
To
$md5hash=md5($password);
$stmt->bindParam(":password", $md5hash, PDO::PARAM_STR);
Use the PHP built-in password_hash() function to encrypt your passwords.
password_hash():
creates a new password hash using a strong one-way hashing algorithm.
use it like this:
$passHash = password_hash("myPassword", PASSWORD_BCRYPT);
Note:
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.
reference http://php.net/password-hash.
then change this line:
$stmt->bindParam(":password", md5($password), PDO::PARAM_STR);
to this:
$stmt->bindValue(":password", $passHash, PDO::PARAM_STR);
To verify a password you would use passsword_verify().
passsword_verify():
Verifies that the given hash matches the given password.
reference http://php.net/password-verify.
Use passsword_verify() like this:
if(password_verify('myPassword', $passHash))
{
// the password is correct
}
else
{
// incorrect password
}