0

Password verify always returns false. I've seen every answer here, but none of it helped. Password field is varchar(255). When I var_dump password from a database, it shows string(60) and the password is correct but the function still returns false. Here is the code that stores in the database:

if(empty($_POST['pass'])) {
    $passErr = "Password required!";
    $errors[] = "Pass error";
} else {
    $pass = test_input($_POST["pass"]);

    if(!preg_match("/^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$/", $pass)) {
        $passErr = "Password not well formed";
        $errors[] = "Pass error";
    } else {
        $pass_hashed = password_hash($pass, PASSWORD_DEFAULT);

    }
}
$hash_ver = md5(rand(0, 1000));
$status = "";
$stm = $conn->prepare("INSERT INTO user VALUES(?, ?, ?, ?, ?, ?, ?, ?)");

$stm->bind_param("sssssssi", $id, $pass_hashed, $email, $fName, $lName, $hash_ver, $status, $id_role);

$stm->execute();
echo strlen($pass_hashed);

And this is part of the login script

if(count($array) != 0) {
    echo "<script>alert('Ima gresaka')</script>";
} else {

    include('connectionFile/connection.php');


    $stmt = $conn->prepare("SELECT `name`,`last_name`,`status_verif`,`email`,`password` FROM user WHERE `email`=?");
    $stmt->bind_param("s", $email);
    $stmt->execute();

    if($res = $stmt->get_result()) {
        $count = $res->num_rows;

        if($count == 1) {

            $row = $res->fetch_assoc();
            $passwordb = $row['password'];

            //echo "<p>".$passwordb."</p>";

            $verify = password_verify($pass, $passwordb);

            if($verify) {
                echo "<script>alert('Password match')</script>";
            } else {
                var_dump($verify);
                var_dump($passwordb);
                echo "<script>alert('Password doesnt match')</script>";
            }

        } else {
            echo "<script>alert('0 rows')</script>";
        }

    } else {
        echo "<script>alert('No rows at all')</script>";
    }

}
GrumpyCrouton
  • 7,816
  • 5
  • 27
  • 61
Andrija Pavlovic
  • 87
  • 8
  • Have you tried echo your `$pass`? Does it get print as you expect? – Sarvap Praharanayuthan Jul 25 '17 at 19:01
  • 1
    what does this method do `test_input()`? Maybe it's adding/embedding something that you don't know about. – Funk Forty Niner Jul 25 '17 at 19:02
  • you also shouldn't be manipulating passwords in any way and may be the cause of all this. – Funk Forty Niner Jul 25 '17 at 19:02
  • Please comment your code, Andrija, it will make your code far easier for you and others to understand. – Martin Jul 25 '17 at 19:03
  • I take it you're not present in your question. Well, I will leave you with this. Something is manipulating your input and you need to find out why that is. You can always edit your post for future users, good luck. – Funk Forty Niner Jul 25 '17 at 19:10
  • Please note that you are inserting although errors array is not empty. – steven Jul 25 '17 at 19:12
  • Thanks for you answers. I found the mistake. But I must ask @Fred-ii- . This is the function test_input(). function test_input($data) { $data = trim($data); $data = stripcslashes($data); $data = htmlspecialchars($data); return $data; } Is it ok to manipulate passwords this way? – Andrija Pavlovic Jul 26 '17 at 08:11

3 Answers3

0

There are Two possible reasons. :

  • 1) $pass = test_input($_POST["pass"]);

    The function test_input() does something to the $_POST['pass'] string, unknown to the user. Also, the value of $pass is not declared in the second code block.

  • 2) 

           $stm = $conn->prepare("INSERT INTO user VALUES(?, ?, ?, ?, ?,
                            ?, ?, ?)");
       $stm->bind_param("sssssssi", $id,$pass_hashed, 
       $email,$fName,$lName, $hash_ver,$status, $id_role);

    The value you are inserting is not inserted into the correct SQL column or the value you are extracting from the SQL is not the correct column, maybe you're extracting and comparing the md5 hash you inserted?

It would be helpful if you can show an example output, such as what you'revar_dump values state.

It would also be very helpful to show how $pass is set in the second code block as well as what test_input actually does in the first code block.

Various parts of your code could do with improvement.

Additionally, think carefully about your logic structure -- what if $pass doesn't fit your preg_match? It will still be inserted into your database. You need to properly catch these sorts of flow issues.

Read about how to display PHP error logs, or better yet, dump them to a file to read in your IDE.

Martin
  • 19,815
  • 6
  • 53
  • 104
  • *"maybe you're extracting and comparing the md5 hash you inserted?"* - That isn't what's being inserted. I thought so to at first, but they're inserting the right variable alright. That MD5 thing looks to be for something else. – Funk Forty Niner Jul 25 '17 at 19:25
  • @Fred-ii- OP is inserting both values, but as we have no idea what columns are being inserted into and we have been given no DB schematics, I think this is an option, although admittedly, unlikely. – Martin Jul 25 '17 at 19:26
  • Exactly; completely unknown and all the more reasons why I didn't post an answer for this potential rabbit hole. Wishing you well with this, let me know if you need a good flashlight ;-) Edit: I gotta run. – Funk Forty Niner Jul 25 '17 at 19:27
  • @Fred-ii- As the great pirate Blackbeard stated: *"When you eliminate the impossible, then whatever is left, no matter how improbable, must be the reason my `password_hash` doesn't work"* – Martin Jul 25 '17 at 19:28
  • @Fred-ii- I do it just for pity points! haha..... have a good one, sir! – Martin Jul 25 '17 at 19:29
0

I think the problem lies after your variable $row. it does not recognize $passwordb = $row['password'] in your login script. Try somerhing like this:

// $rows = $res->fetch_assoc();

while( ($row = $res->fetch_assoc()) !== FALSE ) {
    $rows[] = $row;
}

function returnArray( $rows, $string )
{
    foreach( $rows as $row )
    {
    return $row[ $string ];
    }
}

$passwordb = returnArray( $rows, 'password');

//etc.........
Michael GEDION
  • 759
  • 6
  • 15
0

Thank you for taking time to solve my problem, I managed to find the mistake. The problem was with the $pass variable. After including the connection file, $pass variable didn't return what I was expecting since there was another $pass variable in the connection file. Thank you once again, and sorry, I'm still learning how to properly use StackOverflow.

Andrija Pavlovic
  • 87
  • 8