password_verify() always return false









up vote
1
down vote

favorite












I am a newbie and I was trying to create a login system using PHP and Mysql. After finishing registration form and adding few users, I was trying to create a login form. but it always returns false saying my your Your username or password is incorrect!. Below is my code. It will be great if someone could help me. Advance sorry if my doubt is tooo basic :/



<?php
session_start();
include '.includesfunctionsdb.php';
?>

<?php
$username = strtolower(mysqli_real_escape_string($db, $_POST['username']));
$password = strtolower(mysqli_real_escape_string($db, $_POST['password']));

$sql = "SELECT * FROM users WHERE username = '$username' ";
$result = mysqli_query($db, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['password'];
echo $hash_pwd;
echo $password;
$hash = password_verify($password, $hash_pwd);

if ($hash ==0)
header("Location: ./index.php?error=check");
exit();
else
$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$hash_pwd'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 0)
echo "Your username or password is incorrect!";
else
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];

//header("Location: ./index.php");

?>


and my registration page is as follows



<?php
//This Page is for registration of users
?>

<?php
// this php tag is for all includes
include '.includesfunctionsdb.php';

?>

<?php
//print isset($_POST["submit"]);
//Getting all details inserted in form
if(isset($_POST["register"]))
$username = $_POST['username'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$date = date('Y-m-d H:i:s');

//Encrypting and Securing recieved data
$username = strtolower(mysqli_real_escape_string($db, $username));
$firstname = strtolower(mysqli_real_escape_string($db, $firstname));
$lastname = strtolower(mysqli_real_escape_string($db, $lastname));
$email = strtolower(mysqli_real_escape_string($db, $email));
$password = strtolower(mysqli_real_escape_string($db, $password));
$encryptedpassword = password_hash($password, PASSWORD_DEFAULT);

//To check duplication of email ids
$sql = "SELECT email FROM users WHERE email='$email'";
$result = mysqli_query($db, $sql);
$row = mysqli_num_rows($result);//$row will return count of rows if any duplicate email ids are found

//To check duplication of usernames
$sql2 = "SELECT username FROM users WHERE username='$username'";
$result2 = mysqli_query($db, $sql2);
$row2 = mysqli_num_rows($result2);//$row2 will return count of rows if any duplicate usernames are found

//conditions to check what all duplicates are found
if($row > 0 && $row2 >0)
echo "Sorry...This email id and username is already taken!!!";
elseif ($row > 0 )
echo "Sorry...This email id is already taken!";
elseif ($row2 > 0)
echo "Sorry...This Username is already taken!";
else
$query = mysqli_query($db, "INSERT INTO users (username, firstname, lastname, password, email, regdate) VALUES
('$username', '$firstname', '$lastname', '$encryptedpassword', '$email', '$date')");
if($query)
echo "Thank You! you are now registered.";




?>









share|improve this question



















  • 4




    sigh strtolower(mysqli_real_escape_string($db, $_POST['password'])); is a bad start. Please show your password_hash code too where you store it in the DB.
    – Jon Stirling
    Nov 16 '16 at 16:44







  • 1




    Why do you need the second query? You already know the hash came from the record you are querying..
    – chris85
    Nov 16 '16 at 16:49






  • 1




    MySQL is (typically) case-insensitive, so your strtolower calls are unnecessary. Additionally, if my password were PassWord but I could log in with PaSsWoRd, you would be getting a very serious talking-to.
    – Niet the Dark Absol
    Nov 16 '16 at 16:50






  • 1




    password_verify returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case, password_verify seems to be returning true, so the password was correct.
    – Jon Stirling
    Nov 16 '16 at 16:54







  • 1




    Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
    – gradosevic
    Nov 16 '16 at 16:57














up vote
1
down vote

favorite












I am a newbie and I was trying to create a login system using PHP and Mysql. After finishing registration form and adding few users, I was trying to create a login form. but it always returns false saying my your Your username or password is incorrect!. Below is my code. It will be great if someone could help me. Advance sorry if my doubt is tooo basic :/



<?php
session_start();
include '.includesfunctionsdb.php';
?>

<?php
$username = strtolower(mysqli_real_escape_string($db, $_POST['username']));
$password = strtolower(mysqli_real_escape_string($db, $_POST['password']));

$sql = "SELECT * FROM users WHERE username = '$username' ";
$result = mysqli_query($db, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['password'];
echo $hash_pwd;
echo $password;
$hash = password_verify($password, $hash_pwd);

if ($hash ==0)
header("Location: ./index.php?error=check");
exit();
else
$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$hash_pwd'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 0)
echo "Your username or password is incorrect!";
else
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];

//header("Location: ./index.php");

?>


and my registration page is as follows



<?php
//This Page is for registration of users
?>

<?php
// this php tag is for all includes
include '.includesfunctionsdb.php';

?>

<?php
//print isset($_POST["submit"]);
//Getting all details inserted in form
if(isset($_POST["register"]))
$username = $_POST['username'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$date = date('Y-m-d H:i:s');

//Encrypting and Securing recieved data
$username = strtolower(mysqli_real_escape_string($db, $username));
$firstname = strtolower(mysqli_real_escape_string($db, $firstname));
$lastname = strtolower(mysqli_real_escape_string($db, $lastname));
$email = strtolower(mysqli_real_escape_string($db, $email));
$password = strtolower(mysqli_real_escape_string($db, $password));
$encryptedpassword = password_hash($password, PASSWORD_DEFAULT);

//To check duplication of email ids
$sql = "SELECT email FROM users WHERE email='$email'";
$result = mysqli_query($db, $sql);
$row = mysqli_num_rows($result);//$row will return count of rows if any duplicate email ids are found

//To check duplication of usernames
$sql2 = "SELECT username FROM users WHERE username='$username'";
$result2 = mysqli_query($db, $sql2);
$row2 = mysqli_num_rows($result2);//$row2 will return count of rows if any duplicate usernames are found

//conditions to check what all duplicates are found
if($row > 0 && $row2 >0)
echo "Sorry...This email id and username is already taken!!!";
elseif ($row > 0 )
echo "Sorry...This email id is already taken!";
elseif ($row2 > 0)
echo "Sorry...This Username is already taken!";
else
$query = mysqli_query($db, "INSERT INTO users (username, firstname, lastname, password, email, regdate) VALUES
('$username', '$firstname', '$lastname', '$encryptedpassword', '$email', '$date')");
if($query)
echo "Thank You! you are now registered.";




?>









share|improve this question



















  • 4




    sigh strtolower(mysqli_real_escape_string($db, $_POST['password'])); is a bad start. Please show your password_hash code too where you store it in the DB.
    – Jon Stirling
    Nov 16 '16 at 16:44







  • 1




    Why do you need the second query? You already know the hash came from the record you are querying..
    – chris85
    Nov 16 '16 at 16:49






  • 1




    MySQL is (typically) case-insensitive, so your strtolower calls are unnecessary. Additionally, if my password were PassWord but I could log in with PaSsWoRd, you would be getting a very serious talking-to.
    – Niet the Dark Absol
    Nov 16 '16 at 16:50






  • 1




    password_verify returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case, password_verify seems to be returning true, so the password was correct.
    – Jon Stirling
    Nov 16 '16 at 16:54







  • 1




    Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
    – gradosevic
    Nov 16 '16 at 16:57












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I am a newbie and I was trying to create a login system using PHP and Mysql. After finishing registration form and adding few users, I was trying to create a login form. but it always returns false saying my your Your username or password is incorrect!. Below is my code. It will be great if someone could help me. Advance sorry if my doubt is tooo basic :/



<?php
session_start();
include '.includesfunctionsdb.php';
?>

<?php
$username = strtolower(mysqli_real_escape_string($db, $_POST['username']));
$password = strtolower(mysqli_real_escape_string($db, $_POST['password']));

$sql = "SELECT * FROM users WHERE username = '$username' ";
$result = mysqli_query($db, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['password'];
echo $hash_pwd;
echo $password;
$hash = password_verify($password, $hash_pwd);

if ($hash ==0)
header("Location: ./index.php?error=check");
exit();
else
$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$hash_pwd'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 0)
echo "Your username or password is incorrect!";
else
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];

//header("Location: ./index.php");

?>


and my registration page is as follows



<?php
//This Page is for registration of users
?>

<?php
// this php tag is for all includes
include '.includesfunctionsdb.php';

?>

<?php
//print isset($_POST["submit"]);
//Getting all details inserted in form
if(isset($_POST["register"]))
$username = $_POST['username'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$date = date('Y-m-d H:i:s');

//Encrypting and Securing recieved data
$username = strtolower(mysqli_real_escape_string($db, $username));
$firstname = strtolower(mysqli_real_escape_string($db, $firstname));
$lastname = strtolower(mysqli_real_escape_string($db, $lastname));
$email = strtolower(mysqli_real_escape_string($db, $email));
$password = strtolower(mysqli_real_escape_string($db, $password));
$encryptedpassword = password_hash($password, PASSWORD_DEFAULT);

//To check duplication of email ids
$sql = "SELECT email FROM users WHERE email='$email'";
$result = mysqli_query($db, $sql);
$row = mysqli_num_rows($result);//$row will return count of rows if any duplicate email ids are found

//To check duplication of usernames
$sql2 = "SELECT username FROM users WHERE username='$username'";
$result2 = mysqli_query($db, $sql2);
$row2 = mysqli_num_rows($result2);//$row2 will return count of rows if any duplicate usernames are found

//conditions to check what all duplicates are found
if($row > 0 && $row2 >0)
echo "Sorry...This email id and username is already taken!!!";
elseif ($row > 0 )
echo "Sorry...This email id is already taken!";
elseif ($row2 > 0)
echo "Sorry...This Username is already taken!";
else
$query = mysqli_query($db, "INSERT INTO users (username, firstname, lastname, password, email, regdate) VALUES
('$username', '$firstname', '$lastname', '$encryptedpassword', '$email', '$date')");
if($query)
echo "Thank You! you are now registered.";




?>









share|improve this question















I am a newbie and I was trying to create a login system using PHP and Mysql. After finishing registration form and adding few users, I was trying to create a login form. but it always returns false saying my your Your username or password is incorrect!. Below is my code. It will be great if someone could help me. Advance sorry if my doubt is tooo basic :/



<?php
session_start();
include '.includesfunctionsdb.php';
?>

<?php
$username = strtolower(mysqli_real_escape_string($db, $_POST['username']));
$password = strtolower(mysqli_real_escape_string($db, $_POST['password']));

$sql = "SELECT * FROM users WHERE username = '$username' ";
$result = mysqli_query($db, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['password'];
echo $hash_pwd;
echo $password;
$hash = password_verify($password, $hash_pwd);

if ($hash ==0)
header("Location: ./index.php?error=check");
exit();
else
$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$hash_pwd'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 0)
echo "Your username or password is incorrect!";
else
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];

//header("Location: ./index.php");

?>


and my registration page is as follows



<?php
//This Page is for registration of users
?>

<?php
// this php tag is for all includes
include '.includesfunctionsdb.php';

?>

<?php
//print isset($_POST["submit"]);
//Getting all details inserted in form
if(isset($_POST["register"]))
$username = $_POST['username'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$date = date('Y-m-d H:i:s');

//Encrypting and Securing recieved data
$username = strtolower(mysqli_real_escape_string($db, $username));
$firstname = strtolower(mysqli_real_escape_string($db, $firstname));
$lastname = strtolower(mysqli_real_escape_string($db, $lastname));
$email = strtolower(mysqli_real_escape_string($db, $email));
$password = strtolower(mysqli_real_escape_string($db, $password));
$encryptedpassword = password_hash($password, PASSWORD_DEFAULT);

//To check duplication of email ids
$sql = "SELECT email FROM users WHERE email='$email'";
$result = mysqli_query($db, $sql);
$row = mysqli_num_rows($result);//$row will return count of rows if any duplicate email ids are found

//To check duplication of usernames
$sql2 = "SELECT username FROM users WHERE username='$username'";
$result2 = mysqli_query($db, $sql2);
$row2 = mysqli_num_rows($result2);//$row2 will return count of rows if any duplicate usernames are found

//conditions to check what all duplicates are found
if($row > 0 && $row2 >0)
echo "Sorry...This email id and username is already taken!!!";
elseif ($row > 0 )
echo "Sorry...This email id is already taken!";
elseif ($row2 > 0)
echo "Sorry...This Username is already taken!";
else
$query = mysqli_query($db, "INSERT INTO users (username, firstname, lastname, password, email, regdate) VALUES
('$username', '$firstname', '$lastname', '$encryptedpassword', '$email', '$date')");
if($query)
echo "Thank You! you are now registered.";




?>






php mysql login






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 16 '16 at 16:47









chris85

22.2k72342




22.2k72342










asked Nov 16 '16 at 16:44









Rishad

179110




179110







  • 4




    sigh strtolower(mysqli_real_escape_string($db, $_POST['password'])); is a bad start. Please show your password_hash code too where you store it in the DB.
    – Jon Stirling
    Nov 16 '16 at 16:44







  • 1




    Why do you need the second query? You already know the hash came from the record you are querying..
    – chris85
    Nov 16 '16 at 16:49






  • 1




    MySQL is (typically) case-insensitive, so your strtolower calls are unnecessary. Additionally, if my password were PassWord but I could log in with PaSsWoRd, you would be getting a very serious talking-to.
    – Niet the Dark Absol
    Nov 16 '16 at 16:50






  • 1




    password_verify returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case, password_verify seems to be returning true, so the password was correct.
    – Jon Stirling
    Nov 16 '16 at 16:54







  • 1




    Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
    – gradosevic
    Nov 16 '16 at 16:57












  • 4




    sigh strtolower(mysqli_real_escape_string($db, $_POST['password'])); is a bad start. Please show your password_hash code too where you store it in the DB.
    – Jon Stirling
    Nov 16 '16 at 16:44







  • 1




    Why do you need the second query? You already know the hash came from the record you are querying..
    – chris85
    Nov 16 '16 at 16:49






  • 1




    MySQL is (typically) case-insensitive, so your strtolower calls are unnecessary. Additionally, if my password were PassWord but I could log in with PaSsWoRd, you would be getting a very serious talking-to.
    – Niet the Dark Absol
    Nov 16 '16 at 16:50






  • 1




    password_verify returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case, password_verify seems to be returning true, so the password was correct.
    – Jon Stirling
    Nov 16 '16 at 16:54







  • 1




    Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
    – gradosevic
    Nov 16 '16 at 16:57







4




4




sigh strtolower(mysqli_real_escape_string($db, $_POST['password'])); is a bad start. Please show your password_hash code too where you store it in the DB.
– Jon Stirling
Nov 16 '16 at 16:44





sigh strtolower(mysqli_real_escape_string($db, $_POST['password'])); is a bad start. Please show your password_hash code too where you store it in the DB.
– Jon Stirling
Nov 16 '16 at 16:44





1




1




Why do you need the second query? You already know the hash came from the record you are querying..
– chris85
Nov 16 '16 at 16:49




Why do you need the second query? You already know the hash came from the record you are querying..
– chris85
Nov 16 '16 at 16:49




1




1




MySQL is (typically) case-insensitive, so your strtolower calls are unnecessary. Additionally, if my password were PassWord but I could log in with PaSsWoRd, you would be getting a very serious talking-to.
– Niet the Dark Absol
Nov 16 '16 at 16:50




MySQL is (typically) case-insensitive, so your strtolower calls are unnecessary. Additionally, if my password were PassWord but I could log in with PaSsWoRd, you would be getting a very serious talking-to.
– Niet the Dark Absol
Nov 16 '16 at 16:50




1




1




password_verify returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case, password_verify seems to be returning true, so the password was correct.
– Jon Stirling
Nov 16 '16 at 16:54





password_verify returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case, password_verify seems to be returning true, so the password was correct.
– Jon Stirling
Nov 16 '16 at 16:54





1




1




Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
– gradosevic
Nov 16 '16 at 16:57




Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries.
– gradosevic
Nov 16 '16 at 16:57












1 Answer
1






active

oldest

votes

















up vote
0
down vote



accepted










The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses






share|improve this answer






















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f40637613%2fpassword-verify-always-return-false%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote



    accepted










    The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses






    share|improve this answer


























      up vote
      0
      down vote



      accepted










      The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses






      share|improve this answer
























        up vote
        0
        down vote



        accepted







        up vote
        0
        down vote



        accepted






        The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses






        share|improve this answer














        The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 12 at 5:25

























        answered Nov 11 at 23:09









        Rishad

        179110




        179110



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f40637613%2fpassword-verify-always-return-false%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            這個網誌中的熱門文章

            How to read a connectionString WITH PROVIDER in .NET Core?

            Node.js Script on GitHub Pages or Amazon S3

            Museum of Modern and Contemporary Art of Trento and Rovereto