Title. It passes the username check, I tested. I've used some trimming/stripping tags as part of avoiding SQL injections. But for now, the only part of interest is the password_hash and password_verify failing the check every time.
Database password field is BLOB but I tried VARCHAR 255 and CHAR 255 too.
Relevant login verification:
if(isset($_POST["login"])){
$username = trim($_POST['username']);
$username = strip_tags($username);
$username = htmlspecialchars($username);
$loginpassword = trim($_POST['password']);
$loginpassword = strip_tags($loginpassword);
$loginpassword = htmlspecialchars($loginpassword);
$loginQuery= "SELECT * FROM members where username='$username'";
$result = mysqli_query($conn, $loginQuery);
$row = mysqli_fetch_assoc($result);
$hash = $row['password'];
if(password_verify($loginpassword, $hash)){
$_SESSION['username'] = $username;
header("Location: index.php");
}
else{
$loginErrorExists= TRUE;
}
}
Relevant registration code:
if(isset($_POST["register"])){
$username = trim($_POST['username']);
$username = strip_tags($username);
$username = htmlspecialchars($username);
$password = trim($_POST['password']);
$password = strip_tags($username);
$password = htmlspecialchars($username);
$email = trim($_POST['email']);
$email = strip_tags($email);
$email = htmlspecialchars($email);
$conflictUserQuery = "SELECT username FROM members WHERE username='$username'";
$conflictUserResult = mysqli_query($conn, $conflictUserQuery);
$conflictUserRow = mysqli_fetch_array($conflictUserResult, MYSQLI_ASSOC);
$conflictMailQuery = "SELECT email FROM members WHERE email='$email'";
$conflictMailResult = mysqli_query($conn, $conflictMailQuery);
$conflictMailRow = mysqli_fetch_array($conflictMailResult, MYSQLI_ASSOC);
if(mysqli_num_rows($conflictUserResult) ==1){
$userConflictExists = TRUE;
}
elseif(mysqli_num_rows($conflictMailResult) ==1){
$mailConflictExists = TRUE;
}
else{
$hash = password_hash($password, PASSWORD_DEFAULT);
$registerQuery = mysqli_query($conn, "INSERT INTO members (username, password, email) VALUES ('$username', '$hash', '$email')");
if($registerQuery){
$_SESSION['username']= $username;
header("Location: index.php");
}
}
}