Quote:
$query = "SELECT * FROM register_user WHERE email = :email AND user_password = :user_password";
Your query will return only return the record if the user has entered
the salted hash of their password in the "password" field.
Quote:
if(password_verify($password, $row['email'] ?? 'default')) {
The password_verify
method[
^] will only succeed if the user has entered
the salted hash of the salted hash of their password as their email address when registering.
Therefore, your code will
never allow you to log in.
You need to select the user from the database based purely on their email address. You need to verify that the query succeeds and returns a row. And you need to pass the hashed password from the database to the
password_verify
method,
not the email address.
And as pointed out in the comments, you need to use the variables you have already defined for the query parameters.
<?php
require_once 'includes/connection.php';
require_once 'includes/filter.php';
require_once 'includes/header.php';
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (empty($_POST['email']) || empty($_POST['password'])) {
echo "<span>All fileds are required</span>";
}
else {
$email = $_POST['email'];
$password = $_POST['password'];
$query = "SELECT * FROM register_user WHERE email = :email";
$statement = $pdo->prepare($query);
$statement->bindParam(':email', $email, PDO::PARAM_STR);
if ($statement->execute() && $row = $statement->fetch(PDO:: FETCH_ASSOC) && password_verify($password, $row['user_password'])) {
echo "Success";
}
else {
echo 'failed';
}
}
}
?>