Using password_verify on existing password
I\'m trying to check the password and username of someone before they log in to my website. The passwords are all stored in password_hash($password1, PASSWORD_BCRYPT);
-
This problem should be solved differently. Only make a single query and get the password-hash by the given username. Then the check should be done in your code, not inside a second query:
// Check if the hash of the entered login password, matches the stored hash. // The salt and the cost factor will be extracted from $existingHashFromDb. $isPasswordCorrect = password_verify($password, $existingHashFromDb);This function will return true or false, depending on whether the password matched the stored password-hash. You cannot compare the password-hashes directly in the SQL query, because of the random salt added to each password.
讨论(0) -
I fixed the issue.. I was using
password_verifyincorrectly.<?php require 'privstuff/dbinfo.php'; $username = $_POST["username"]; $password1 = $_POST["password1"]; $mysqli = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_DATABASE); // Check connection if(mysqli_connect_errno()) { echo "Connection Failed: " . mysqli_connect_errno(); exit(); } /* create a prepared statement */ if ($stmt = $mysqli->prepare("SELECT `password` FROM `accounts` WHERE username = ?")) { /* Bind parameters: s - string, b - blob, i - int, etc */ $stmt -> bind_param("s", $username); /* Execute it */ $stmt -> execute(); /* Bind results */ $stmt -> bind_result($result); /* Fetch the value */ $stmt -> fetch(); /* Close statement */ $stmt -> close(); } if(password_verify($password1, $result)) { session_start(); $_SESSION['loggedin'] = true; $_SESSION['username'] = $username; echo '<script type="text/javascript"> window.open("textbomber.php","_self");</script>'; }else{ echo '<script type="text/javascript"> alert("Incorrect Username/Password"); window.open("login.html","_self");</script>'; } $mysqli->close(); ?>讨论(0)
加载中...
- 热议问题