password_verify() always return false
up vote
1
down vote
favorite
I am a newbie and I was trying to create a login system using PHP and Mysql. After finishing registration form and adding few users, I was trying to create a login form. but it always returns false saying my your Your username or password is incorrect!
. Below is my code. It will be great if someone could help me. Advance sorry if my doubt is tooo basic :/
<?php
session_start();
include '.includesfunctionsdb.php';
?>
<?php
$username = strtolower(mysqli_real_escape_string($db, $_POST['username']));
$password = strtolower(mysqli_real_escape_string($db, $_POST['password']));
$sql = "SELECT * FROM users WHERE username = '$username' ";
$result = mysqli_query($db, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['password'];
echo $hash_pwd;
echo $password;
$hash = password_verify($password, $hash_pwd);
if ($hash ==0)
header("Location: ./index.php?error=check");
exit();
else
$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$hash_pwd'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 0)
echo "Your username or password is incorrect!";
else
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];
//header("Location: ./index.php");
?>
and my registration page is as follows
<?php
//This Page is for registration of users
?>
<?php
// this php tag is for all includes
include '.includesfunctionsdb.php';
?>
<?php
//print isset($_POST["submit"]);
//Getting all details inserted in form
if(isset($_POST["register"]))
$username = $_POST['username'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$date = date('Y-m-d H:i:s');
//Encrypting and Securing recieved data
$username = strtolower(mysqli_real_escape_string($db, $username));
$firstname = strtolower(mysqli_real_escape_string($db, $firstname));
$lastname = strtolower(mysqli_real_escape_string($db, $lastname));
$email = strtolower(mysqli_real_escape_string($db, $email));
$password = strtolower(mysqli_real_escape_string($db, $password));
$encryptedpassword = password_hash($password, PASSWORD_DEFAULT);
//To check duplication of email ids
$sql = "SELECT email FROM users WHERE email='$email'";
$result = mysqli_query($db, $sql);
$row = mysqli_num_rows($result);//$row will return count of rows if any duplicate email ids are found
//To check duplication of usernames
$sql2 = "SELECT username FROM users WHERE username='$username'";
$result2 = mysqli_query($db, $sql2);
$row2 = mysqli_num_rows($result2);//$row2 will return count of rows if any duplicate usernames are found
//conditions to check what all duplicates are found
if($row > 0 && $row2 >0)
echo "Sorry...This email id and username is already taken!!!";
elseif ($row > 0 )
echo "Sorry...This email id is already taken!";
elseif ($row2 > 0)
echo "Sorry...This Username is already taken!";
else
$query = mysqli_query($db, "INSERT INTO users (username, firstname, lastname, password, email, regdate) VALUES
('$username', '$firstname', '$lastname', '$encryptedpassword', '$email', '$date')");
if($query)
echo "Thank You! you are now registered.";
?>
php mysql login
|
show 16 more comments
up vote
1
down vote
favorite
I am a newbie and I was trying to create a login system using PHP and Mysql. After finishing registration form and adding few users, I was trying to create a login form. but it always returns false saying my your Your username or password is incorrect!
. Below is my code. It will be great if someone could help me. Advance sorry if my doubt is tooo basic :/
<?php
session_start();
include '.includesfunctionsdb.php';
?>
<?php
$username = strtolower(mysqli_real_escape_string($db, $_POST['username']));
$password = strtolower(mysqli_real_escape_string($db, $_POST['password']));
$sql = "SELECT * FROM users WHERE username = '$username' ";
$result = mysqli_query($db, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['password'];
echo $hash_pwd;
echo $password;
$hash = password_verify($password, $hash_pwd);
if ($hash ==0)
header("Location: ./index.php?error=check");
exit();
else
$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$hash_pwd'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 0)
echo "Your username or password is incorrect!";
else
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];
//header("Location: ./index.php");
?>
and my registration page is as follows
<?php
//This Page is for registration of users
?>
<?php
// this php tag is for all includes
include '.includesfunctionsdb.php';
?>
<?php
//print isset($_POST["submit"]);
//Getting all details inserted in form
if(isset($_POST["register"]))
$username = $_POST['username'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$date = date('Y-m-d H:i:s');
//Encrypting and Securing recieved data
$username = strtolower(mysqli_real_escape_string($db, $username));
$firstname = strtolower(mysqli_real_escape_string($db, $firstname));
$lastname = strtolower(mysqli_real_escape_string($db, $lastname));
$email = strtolower(mysqli_real_escape_string($db, $email));
$password = strtolower(mysqli_real_escape_string($db, $password));
$encryptedpassword = password_hash($password, PASSWORD_DEFAULT);
//To check duplication of email ids
$sql = "SELECT email FROM users WHERE email='$email'";
$result = mysqli_query($db, $sql);
$row = mysqli_num_rows($result);//$row will return count of rows if any duplicate email ids are found
//To check duplication of usernames
$sql2 = "SELECT username FROM users WHERE username='$username'";
$result2 = mysqli_query($db, $sql2);
$row2 = mysqli_num_rows($result2);//$row2 will return count of rows if any duplicate usernames are found
//conditions to check what all duplicates are found
if($row > 0 && $row2 >0)
echo "Sorry...This email id and username is already taken!!!";
elseif ($row > 0 )
echo "Sorry...This email id is already taken!";
elseif ($row2 > 0)
echo "Sorry...This Username is already taken!";
else
$query = mysqli_query($db, "INSERT INTO users (username, firstname, lastname, password, email, regdate) VALUES
('$username', '$firstname', '$lastname', '$encryptedpassword', '$email', '$date')");
if($query)
echo "Thank You! you are now registered.";
?>
php mysql login
4
sighstrtolower(mysqli_real_escape_string($db, $_POST['password']));
is a bad start. Please show your password_hash code too where you store it in the DB.
– Jon Stirling
Nov 16 '16 at 16:44
1
Why do you need the second query? You already know the hash came from the record you are querying..
– chris85
Nov 16 '16 at 16:49
1
MySQL is (typically) case-insensitive, so yourstrtolower
calls are unnecessary. Additionally, if my password werePassWord
but I could log in withPaSsWoRd
, you would be getting a very serious talking-to.
– Niet the Dark Absol
Nov 16 '16 at 16:50
1
password_verify
returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case,password_verify
seems to be returning true, so the password was correct.
– Jon Stirling
Nov 16 '16 at 16:54
1
Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
– gradosevic
Nov 16 '16 at 16:57
|
show 16 more comments
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I am a newbie and I was trying to create a login system using PHP and Mysql. After finishing registration form and adding few users, I was trying to create a login form. but it always returns false saying my your Your username or password is incorrect!
. Below is my code. It will be great if someone could help me. Advance sorry if my doubt is tooo basic :/
<?php
session_start();
include '.includesfunctionsdb.php';
?>
<?php
$username = strtolower(mysqli_real_escape_string($db, $_POST['username']));
$password = strtolower(mysqli_real_escape_string($db, $_POST['password']));
$sql = "SELECT * FROM users WHERE username = '$username' ";
$result = mysqli_query($db, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['password'];
echo $hash_pwd;
echo $password;
$hash = password_verify($password, $hash_pwd);
if ($hash ==0)
header("Location: ./index.php?error=check");
exit();
else
$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$hash_pwd'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 0)
echo "Your username or password is incorrect!";
else
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];
//header("Location: ./index.php");
?>
and my registration page is as follows
<?php
//This Page is for registration of users
?>
<?php
// this php tag is for all includes
include '.includesfunctionsdb.php';
?>
<?php
//print isset($_POST["submit"]);
//Getting all details inserted in form
if(isset($_POST["register"]))
$username = $_POST['username'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$date = date('Y-m-d H:i:s');
//Encrypting and Securing recieved data
$username = strtolower(mysqli_real_escape_string($db, $username));
$firstname = strtolower(mysqli_real_escape_string($db, $firstname));
$lastname = strtolower(mysqli_real_escape_string($db, $lastname));
$email = strtolower(mysqli_real_escape_string($db, $email));
$password = strtolower(mysqli_real_escape_string($db, $password));
$encryptedpassword = password_hash($password, PASSWORD_DEFAULT);
//To check duplication of email ids
$sql = "SELECT email FROM users WHERE email='$email'";
$result = mysqli_query($db, $sql);
$row = mysqli_num_rows($result);//$row will return count of rows if any duplicate email ids are found
//To check duplication of usernames
$sql2 = "SELECT username FROM users WHERE username='$username'";
$result2 = mysqli_query($db, $sql2);
$row2 = mysqli_num_rows($result2);//$row2 will return count of rows if any duplicate usernames are found
//conditions to check what all duplicates are found
if($row > 0 && $row2 >0)
echo "Sorry...This email id and username is already taken!!!";
elseif ($row > 0 )
echo "Sorry...This email id is already taken!";
elseif ($row2 > 0)
echo "Sorry...This Username is already taken!";
else
$query = mysqli_query($db, "INSERT INTO users (username, firstname, lastname, password, email, regdate) VALUES
('$username', '$firstname', '$lastname', '$encryptedpassword', '$email', '$date')");
if($query)
echo "Thank You! you are now registered.";
?>
php mysql login
I am a newbie and I was trying to create a login system using PHP and Mysql. After finishing registration form and adding few users, I was trying to create a login form. but it always returns false saying my your Your username or password is incorrect!
. Below is my code. It will be great if someone could help me. Advance sorry if my doubt is tooo basic :/
<?php
session_start();
include '.includesfunctionsdb.php';
?>
<?php
$username = strtolower(mysqli_real_escape_string($db, $_POST['username']));
$password = strtolower(mysqli_real_escape_string($db, $_POST['password']));
$sql = "SELECT * FROM users WHERE username = '$username' ";
$result = mysqli_query($db, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['password'];
echo $hash_pwd;
echo $password;
$hash = password_verify($password, $hash_pwd);
if ($hash ==0)
header("Location: ./index.php?error=check");
exit();
else
$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$hash_pwd'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 0)
echo "Your username or password is incorrect!";
else
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];
//header("Location: ./index.php");
?>
and my registration page is as follows
<?php
//This Page is for registration of users
?>
<?php
// this php tag is for all includes
include '.includesfunctionsdb.php';
?>
<?php
//print isset($_POST["submit"]);
//Getting all details inserted in form
if(isset($_POST["register"]))
$username = $_POST['username'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$date = date('Y-m-d H:i:s');
//Encrypting and Securing recieved data
$username = strtolower(mysqli_real_escape_string($db, $username));
$firstname = strtolower(mysqli_real_escape_string($db, $firstname));
$lastname = strtolower(mysqli_real_escape_string($db, $lastname));
$email = strtolower(mysqli_real_escape_string($db, $email));
$password = strtolower(mysqli_real_escape_string($db, $password));
$encryptedpassword = password_hash($password, PASSWORD_DEFAULT);
//To check duplication of email ids
$sql = "SELECT email FROM users WHERE email='$email'";
$result = mysqli_query($db, $sql);
$row = mysqli_num_rows($result);//$row will return count of rows if any duplicate email ids are found
//To check duplication of usernames
$sql2 = "SELECT username FROM users WHERE username='$username'";
$result2 = mysqli_query($db, $sql2);
$row2 = mysqli_num_rows($result2);//$row2 will return count of rows if any duplicate usernames are found
//conditions to check what all duplicates are found
if($row > 0 && $row2 >0)
echo "Sorry...This email id and username is already taken!!!";
elseif ($row > 0 )
echo "Sorry...This email id is already taken!";
elseif ($row2 > 0)
echo "Sorry...This Username is already taken!";
else
$query = mysqli_query($db, "INSERT INTO users (username, firstname, lastname, password, email, regdate) VALUES
('$username', '$firstname', '$lastname', '$encryptedpassword', '$email', '$date')");
if($query)
echo "Thank You! you are now registered.";
?>
php mysql login
php mysql login
edited Nov 16 '16 at 16:47
chris85
22.2k72342
22.2k72342
asked Nov 16 '16 at 16:44
Rishad
179110
179110
4
sighstrtolower(mysqli_real_escape_string($db, $_POST['password']));
is a bad start. Please show your password_hash code too where you store it in the DB.
– Jon Stirling
Nov 16 '16 at 16:44
1
Why do you need the second query? You already know the hash came from the record you are querying..
– chris85
Nov 16 '16 at 16:49
1
MySQL is (typically) case-insensitive, so yourstrtolower
calls are unnecessary. Additionally, if my password werePassWord
but I could log in withPaSsWoRd
, you would be getting a very serious talking-to.
– Niet the Dark Absol
Nov 16 '16 at 16:50
1
password_verify
returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case,password_verify
seems to be returning true, so the password was correct.
– Jon Stirling
Nov 16 '16 at 16:54
1
Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
– gradosevic
Nov 16 '16 at 16:57
|
show 16 more comments
4
sighstrtolower(mysqli_real_escape_string($db, $_POST['password']));
is a bad start. Please show your password_hash code too where you store it in the DB.
– Jon Stirling
Nov 16 '16 at 16:44
1
Why do you need the second query? You already know the hash came from the record you are querying..
– chris85
Nov 16 '16 at 16:49
1
MySQL is (typically) case-insensitive, so yourstrtolower
calls are unnecessary. Additionally, if my password werePassWord
but I could log in withPaSsWoRd
, you would be getting a very serious talking-to.
– Niet the Dark Absol
Nov 16 '16 at 16:50
1
password_verify
returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case,password_verify
seems to be returning true, so the password was correct.
– Jon Stirling
Nov 16 '16 at 16:54
1
Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
– gradosevic
Nov 16 '16 at 16:57
4
4
sigh
strtolower(mysqli_real_escape_string($db, $_POST['password']));
is a bad start. Please show your password_hash code too where you store it in the DB.– Jon Stirling
Nov 16 '16 at 16:44
sigh
strtolower(mysqli_real_escape_string($db, $_POST['password']));
is a bad start. Please show your password_hash code too where you store it in the DB.– Jon Stirling
Nov 16 '16 at 16:44
1
1
Why do you need the second query? You already know the hash came from the record you are querying..
– chris85
Nov 16 '16 at 16:49
Why do you need the second query? You already know the hash came from the record you are querying..
– chris85
Nov 16 '16 at 16:49
1
1
MySQL is (typically) case-insensitive, so your
strtolower
calls are unnecessary. Additionally, if my password were PassWord
but I could log in with PaSsWoRd
, you would be getting a very serious talking-to.– Niet the Dark Absol
Nov 16 '16 at 16:50
MySQL is (typically) case-insensitive, so your
strtolower
calls are unnecessary. Additionally, if my password were PassWord
but I could log in with PaSsWoRd
, you would be getting a very serious talking-to.– Niet the Dark Absol
Nov 16 '16 at 16:50
1
1
password_verify
returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case, password_verify
seems to be returning true, so the password was correct.– Jon Stirling
Nov 16 '16 at 16:54
password_verify
returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case, password_verify
seems to be returning true, so the password was correct.– Jon Stirling
Nov 16 '16 at 16:54
1
1
Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
– gradosevic
Nov 16 '16 at 16:57
Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
– gradosevic
Nov 16 '16 at 16:57
|
show 16 more comments
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f40637613%2fpassword-verify-always-return-false%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses
add a comment |
up vote
0
down vote
accepted
The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses
The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses
edited Nov 12 at 5:25
answered Nov 11 at 23:09
Rishad
179110
179110
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f40637613%2fpassword-verify-always-return-false%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
sigh
strtolower(mysqli_real_escape_string($db, $_POST['password']));
is a bad start. Please show your password_hash code too where you store it in the DB.– Jon Stirling
Nov 16 '16 at 16:44
1
Why do you need the second query? You already know the hash came from the record you are querying..
– chris85
Nov 16 '16 at 16:49
1
MySQL is (typically) case-insensitive, so your
strtolower
calls are unnecessary. Additionally, if my password werePassWord
but I could log in withPaSsWoRd
, you would be getting a very serious talking-to.– Niet the Dark Absol
Nov 16 '16 at 16:50
1
password_verify
returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case,password_verify
seems to be returning true, so the password was correct.– Jon Stirling
Nov 16 '16 at 16:54
1
Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
– gradosevic
Nov 16 '16 at 16:57