0

I wrote this statement for the log in system and it is not working, fetch functions work properly because if I try to echo out the $hash, it looks fine but then if I try this verify statement it always returns the false even if the inputs are the same in the database, the database looks fines it has varchar(255), here's my code

<?php

if(isset($_POST['submit'])){
    include 'database.php';
    $uid = mysqli_real_escape_string($conn,$_POST['uid']);
    $pass = mysqli_real_escape_string($conn,$_POST['pass']);

    $query = "SELECT * FROM user WHERE username ='$uid'";
    $tbl = mysqli_query($conn, $query);
    if (mysqli_num_rows($tbl)>0){

        $row = mysqli_fetch_array($tbl, MYSQLI_ASSOC);
        $hash = $row['password'];
        if (password_verify($pass, $hash)){
            echo "success";
        } else {
            echo "log in error";
        }
    }
}

edit

I remove the mysqli_real_escape_string but it still return false heres the new code, I am selecting all from the database to also verify the username, so if either of the username or password in the inputs are inside the database the user will be redirected to wrong password page

<?php

if(isset($_POST['submit'])){
    include 'database.php';
$uid = $_POST['uid'];
$pass = $_POST['pass'];

$query = "SELECT * FROM user WHERE username ='$uid'";
$tbl = mysqli_query($conn, $query);
if (mysqli_num_rows($tbl)>0){

    $row = mysqli_fetch_array($tbl, MYSQLI_ASSOC);
    $hash = $row['password'];
     if (password_verify($pass, $hash)){
         echo "success";
     }
     else {
         echo "log in error";
     }

}
}

I have a sign up page and this is where I hashed then stores it inside the database, here's my code

$sql = "SELECT * FROM 'user' WHERE username ='$uid'";
    $result = mysqli_query($conn, $sql);
    $resultCheck = mysqli_num_rows($result);
}
  if ($resultCheck > 0) {
    header("Location:.../user.add.php?the inputs are already taken");
    exit();
  }
  else {
      $hashedpass = password_hash($pwd, PASSWORD_DEFAULT);
      //insert the new user to the user database
      $sql = "INSERT INTO user (userID, username, password)
      VALUES (NULL, '$uid', '$hashedpass');";
      $result = mysqli_query($conn, $sql);
      header("Location:../user.add.php?success sir");
    exit();
  }
dread
  • 51
  • 7
  • 8
    Start by stopping running `mysqli_real_escape_string` on the password. That can change the value, which would change the resulting hash. Might be worth showing where you generate the hash in the first place too. – Jonnix Jan 29 '19 at 12:01
  • 1
    _Small Point_ If you only want one column from a select then `SELECT password...` and not `SELECT *` – RiggsFolly Jan 29 '19 at 12:05
  • 1
    Good job using `password_verify()`, by the way. – O. Jones Jan 29 '19 at 12:07
  • any alternative way to avoid sql injection? Im new in php and seems I don't know what and when to use such kind of functions in my code I always rely on the source code I get from the internet, thank you for the answers btw – dread Jan 29 '19 at 12:29

1 Answers1

2

You're potentially modifying the password before comparing it:

$pass = mysqli_real_escape_string($conn,$_POST['pass']);

In some cases this won't make a difference, but in some it will.

if I try to echo out the $hash, it looks fine

It may intuitively look fine to a human as output on a web page, but does that mean the two values are binary equivalent? Not always, and the result of the code seems to indicate exactly that.

Since you're not using this value in a SQL query, you don't need to escape it:

$pass = $_POST['pass'];

Side note: You shouldn't rely on escaping input to use in a SQL query anyway. Instead, don't use user-modifiable values as code in your query in the first place. Use query parameters instead. A commonly linked Stack Overflow question has some great examples and explanations to get you started. In the long run your code will be more secure, more stable, and easier to debug and maintain.

David
  • 176,566
  • 33
  • 178
  • 245
  • ya but the problem is i'm still learning those things in php and I mostly rely on the source code from the internet, any advice when it comes into SQL query? – dread Jan 29 '19 at 12:36
  • @dread: The unfortunate reality is that *a lot* of code on the internet is garbage. This is especially true of PHP really, but no language is any exception to this. As for advice about avoiding SQL injection, this answer and other comments on the question above contain very useful links. – David Jan 29 '19 at 12:39
  • ya I agree, I've already change the code base on the answers, the changes are stated above but still I keep on getting false – dread Jan 29 '19 at 13:02
  • @dread: Is it possible your data has a duplicate username and you're not looking at the right value? Or maybe the stored hash was created in a different way? Or itself was modified before it was hashed? `password_verify` does exactly what it does, if it doesn't match then it doesn't match. – David Jan 29 '19 at 13:09
  • sir what do you mean by the stored hash was created in a different way? modified before it was hashed? – dread Jan 29 '19 at 13:12
  • @dread: Well, how was the hash in the database originally created? One of the issues in your code above was that you were potentially modifying the input value before hashing it to compare with the stored hash. What if that stored hash was also modified in some way when it was originally stored? Go back to that code and check. If the stored hash is effectively unusable then your next step is to re-create it. – David Jan 29 '19 at 13:16
  • I created a sign up page for the system, it is where the hashing of password then store it inside the database, the code is stated above, I really don't if the stored hash is effectively unusable – dread Jan 29 '19 at 13:33
  • I got it, the hash statement hashes different variable from the signup page so basically it doesn't match the inputs in the log in page..thank you sir @david – dread Jan 29 '19 at 14:53