Click here to Skip to main content
15,881,882 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I have the user password hashed in the database. I want to verify the password the user entered to what is stored in the database using password_verify method. However, when I entered the correct password, my coding keep printing "failed". Lastly, I don't know why my code is not also fetching data from the database.

What I have tried:

PHP
<pre>
<?php
require_once 'includes/connection.php';
require_once 'includes/filter.php';
require_once 'includes/header.php';

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  $email;
  $password;

  if (empty($_POST['email']) || empty($_POST['password'])) {
    echo "<span>All fileds are required</span>";
  } 
  else {
    $email = $_POST['email'];
    $password = $_POST['password'];
    $query = "SELECT * FROM register_user WHERE email = :email AND user_password = :user_password";
    $statement = $pdo->prepare($query);
    $statement->bindParam(':email', $filterEmail, PDO::PARAM_STR);
    $statement->bindParam(':user_password', $filterPassword, PDO::PARAM_STR);
    $statement->execute();
    $row = $statement->fetch(PDO:: FETCH_ASSOC);

    if(password_verify($password, $row['email'] ?? 'default')) {
       echo "Success";
     } 
     else {
       echo 'failed';
     }
    
   }
}
?>
Posted
Updated 5-Jan-23 22:57pm
v5
Comments
Member 15627495 6-Jan-23 1:45am    
user 'var_dump($var)' and 'print_r($var)' to display the values of your vars along your login code.
It looks like $filteremail and $filterpassword are equals to different value aside the firsts values.
Richard MacCutchan 6-Jan-23 3:56am    
You are binding parameters that are not defined anywhere: $filterEmail and $filterPassword.

1 solution

Quote:
PHP
$query = "SELECT * FROM register_user WHERE email = :email AND user_password = :user_password";
Your query will return only return the record if the user has entered the salted hash of their password in the "password" field.

Quote:
PHP
if(password_verify($password, $row['email'] ?? 'default')) {
The password_verify method[^] will only succeed if the user has entered the salted hash of the salted hash of their password as their email address when registering.

Therefore, your code will never allow you to log in.

You need to select the user from the database based purely on their email address. You need to verify that the query succeeds and returns a row. And you need to pass the hashed password from the database to the password_verify method, not the email address.

And as pointed out in the comments, you need to use the variables you have already defined for the query parameters.
PHP
<?php
require_once 'includes/connection.php';
require_once 'includes/filter.php';
require_once 'includes/header.php';

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  if (empty($_POST['email']) || empty($_POST['password'])) {
    echo "<span>All fileds are required</span>";
  } 
  else {
    $email = $_POST['email'];
    $password = $_POST['password'];
    
    $query = "SELECT * FROM register_user WHERE email = :email";
    $statement = $pdo->prepare($query);
    $statement->bindParam(':email', $email, PDO::PARAM_STR);
    if ($statement->execute() && $row = $statement->fetch(PDO:: FETCH_ASSOC) && password_verify($password, $row['user_password'])) {
       echo "Success";
    } 
    else {
       echo 'failed';
    }
  }
}
?>
 
Share this answer
 
v2
Comments
Member 14028652 6-Jan-23 17:00pm    
Thank you everyone.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900