So I have a database where the id, username and password is stored. The password is stored using php's password_hash() function. That part works fine, and it is successfully stored in the database with a hash. Now I want to use the password_verify() function. I cant seem to properly get the string value out of the database to use it with that function.
The database ($db) is properly set up due to the fact that I have already stored something in there. Columns in database are just id, username and password. $username and $password is what the user has filled in when logging in.
<?php
if (count($errors) == 0) { // Everything correct, so verify pw
$sql = $db->query("SELECT password FROM users WHERE username='$username'");
if ($sql->num_rows > 0 ){
$hashedpass = $sql->fetch_array();
if (password_verify($password, $hashedpass['password'])); {
$msg = "Username and password are correct";
} else {
$msg = "Incorrect";
} else {
$msg = "Incorrect";
}
?>
Having fetched the data here, making $hashedpass an array:
$hashedpass = $sql->fetch_array();
Then you would compare against $hashedpass['password'] using the column name from the table:
password_verify($password, $hashedpass['password'])
Little Bobby says your script is at risk for SQL Injection Attacks.. Even escaping the string is not safe!
$hashedpass = $sql->fetch_array();
gives you an associative array with the column names you select.
You should get the values by selecting the correct element -
$hashedpass['password']