password_verify returns false every time

Question

Title. It passes the username check, I tested. I've used some trimming/stripping tags as part of avoiding SQL injections. But for now, the only part of interest is the password_hash and password_verify failing the check every time.

Database password field is BLOB but I tried VARCHAR 255 and CHAR 255 too.

Relevant login verification:

if(isset($_POST["login"])){
$username = trim($_POST['username']);
$username = strip_tags($username);
$username = htmlspecialchars($username);

$loginpassword = trim($_POST['password']);
$loginpassword = strip_tags($loginpassword);
$loginpassword = htmlspecialchars($loginpassword);


$loginQuery= "SELECT * FROM members where username='$username'";
$result = mysqli_query($conn, $loginQuery);
$row = mysqli_fetch_assoc($result);
$hash = $row['password'];
if(password_verify($loginpassword, $hash)){
    $_SESSION['username'] = $username;
    header("Location: index.php");
}
else{
    $loginErrorExists= TRUE;
}
}

Relevant registration code:

if(isset($_POST["register"])){
$username = trim($_POST['username']);
$username = strip_tags($username);
$username = htmlspecialchars($username);

$password = trim($_POST['password']);
$password = strip_tags($username);
$password = htmlspecialchars($username);

$email = trim($_POST['email']);
$email = strip_tags($email);
$email = htmlspecialchars($email);

$conflictUserQuery = "SELECT username FROM members WHERE username='$username'";
$conflictUserResult = mysqli_query($conn, $conflictUserQuery);
$conflictUserRow = mysqli_fetch_array($conflictUserResult, MYSQLI_ASSOC);
$conflictMailQuery = "SELECT email FROM members WHERE email='$email'";
$conflictMailResult = mysqli_query($conn, $conflictMailQuery);
$conflictMailRow = mysqli_fetch_array($conflictMailResult, MYSQLI_ASSOC);
if(mysqli_num_rows($conflictUserResult) ==1){
    $userConflictExists = TRUE;
}
elseif(mysqli_num_rows($conflictMailResult) ==1){
    $mailConflictExists = TRUE;
}

else{
    $hash = password_hash($password, PASSWORD_DEFAULT);
    $registerQuery = mysqli_query($conn, "INSERT INTO members (username, password, email) VALUES ('$username', '$hash', '$email')");
    if($registerQuery){
        $_SESSION['username']= $username;
        header("Location: index.php");
    }
}
}

Trimming and stripping tags won't protect you against sql injection. You should user prepared and parameterized queries. Mysqli supports it.. — JimL, Dec 25 '17 at 20:19
Trimming/stripping is hardly sufficient to avoid SQL injections. Not that it's relevant to your password_hash misuse. Some database excerpts/input/output samples would be useful instead. — mario, Dec 25 '17 at 20:19
You may want to use an authentication library, the way you are coding is not secure, check this out: https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication — Spoody, Dec 25 '17 at 20:22
Do you mean you want to see the hash I store in my db? Password is "password" and the encrypted string is this `$2y$10$HM0E9vz.tqu7G2sC/7ahOuHYRjiFRhlROlIBWB7pk.XA6Tq8qgjBy` — mechanicarts, Dec 25 '17 at 20:23
*"Database password field is BLOB but I tried VARCHAR 255 and CHAR 255 too."* - change it back to varchar 255, empty out your hashes and create a new one and try again. However, don't use any of those methods you think will prevent against an injection. They're most likely working against you. Use a prepared statement instead. — Funk Forty Niner, Dec 25 '17 at 20:26
Can not see the error. TRy to echo something here: if(password_verify($loginpassword, $hash)){ echo 'OK' ... — halojoy, Dec 25 '17 at 20:29
I tried to echo a TRUE. But since it doesn't fulfill the condition, it never prints it. — mechanicarts, Dec 25 '17 at 20:30
Here is your error: $password = strip_tags($username); $password = htmlspecialchars($username); — halojoy, Dec 25 '17 at 20:36
Made it work by removing all of those commands. I just hash and verify the raw user input. I'll revisit to make a prepared statement before delivery. — mechanicarts, Dec 25 '17 at 20:42

score 2 · Answer 1 · answered Dec 25 '17 at 20:45

2

$password = htmlspecialchars($username);
Yes, you had the $username as password!

answered Dec 25 '17 at 20:45

halojoy

253
2
7

score 1 · Answer 2 · answered Dec 25 '17 at 20:43

1

I solved it by completely removing the trim(), strip_tags() and htmlspecialchars() as per Funk Forty Niner's suggestion.

answered Dec 25 '17 at 20:43

mechanicarts

163
1
15

password_verify returns false every time

2 Answers2