Quote:
$sql = "SELECT * FROM vendors WHERE vendor_email='$email' AND password='$password'";
Problem 1:
Your code is vulnerable to
SQL Injection[
^].
NEVER use string concatenation/interpolation to build a SQL query.
ALWAYS use a parameterized query.
PHP: SQL Injection - Manual[
^]
Problem 2:
Your query only returns records where the password stored in the database matches the plain-text password entered by the user. That suggests you are storing the passwords in plain-text, which is extremely bad.
Quote:
$row['password'] === password_verify($password, $hash_password)
Problem 3:
You appear to be generating a hash of the password which the user has just entered, and then verifying that the password they just entered matches that hash. Essentially, you are testing that the password they just entered
is the same as the password they just entered - a meaningless comparison.
Problem 4:
As pointed out in the comments,
password_verify
returns a
bool
. So unless the password is literally
"true"
, that test can never pass.
You need to completely re-think your approach:
- When the user signs up, or resets their password, use
password_hash
to generate a salted hash of the plain-text password. Store that hash in the database, never the plain-text password.
- When the user logs in, select the record by username alone. Then pass the plaintext password they entered and the stored password hash from the database record to the
password_verify
method to ensure they match.
- And for the love of Codd[^], use parameterized queries!
PHP: password_hash[
^]
PHP: password_verify[
^]