0

For some reason when I use mysqli prepared statements to select values from a database, they don't seem to work. The attached code is supposed to scan a database for a username and a password, and in case they match, display a message.

I've tried many solutions from Stack Overflow, but none seem to work for me. For some reason the $hash in the if (password_verify($password, $hash)) doesn't recieve the value it should from the database

here is the code:

if(isset($_POST['submit'])) {
$dbc = mysqli_connect('localhost', 'root', '', 'users') or die('Error connecting to MySQL server.' . mysqli_connect_error());

if ($dbc) {
    if (isset($_POST["submit"])) {

        $user = $_POST["usern"];
        $password = $_POST["pass"];
        $query = "SELECT username, password FROM user_db WHERE username = ? AND password = ?";
        $stmt = mysqli_stmt_init($dbc);

        if (mysqli_stmt_prepare($stmt, $query)) {
            mysqli_stmt_bind_param($stmt, 'ss', $user,$hash);
            mysqli_stmt_execute($stmt);
            mysqli_stmt_store_result($stmt);
            mysqli_stmt_bind_result($stmt, $username, $hash);
            mysqli_stmt_fetch($stmt);

            if (password_verify($password, $hash)) {
                echo "Login successful";
            } else {
                echo "Wrong username or password";
            }

            mysqli_stmt_close($stmt);
        }
    }
}
mysqli_close($dbc); }

Edit: The issue was solved by removing AND password = ? from the statement and the $hash from the mysqli_stmt_bind_param() function. The answers from @aynber and @Dharman helped a lot, along with this answer

Bruno
  • 1
  • 2
  • 2
    Your statement is executing, just not finding any results. The stored password should be hashed, which means that it won't match whatever you're passing in. Query only the username, and the password_verify will take care of the rest. Make sure you actually have a result before you attempt to verify it. – aynber Jun 16 '22 at 18:52
  • The code you need is just a [few lines](https://phpdelusions.net/mysqli/password_hash) – Your Common Sense Jun 16 '22 at 19:32
  • Thank you so much @aynber if I query just for a username, it gives me its value, but how do I check if the password matches the enterd one if I don't query for it? – Bruno Jun 16 '22 at 19:33
  • what about password_verify function? Why did you write it here? – Your Common Sense Jun 16 '22 at 19:35
  • @Dharman they are stored using the password_hash(), but I don't know how to get the hashed password out of the database because the query doesn't get the hashed password into the `$hash` variable – Bruno Jun 16 '22 at 19:45
  • @YourCommonSense The password_verify is here because the password has been encrypted so I thought using it would be neccessary – Bruno Jun 16 '22 at 19:57
  • Yes it would. But why you're asking "how do I check if the password matches?" if you yourself wrote the function that **does exactly that**. I don't understand your question. – Your Common Sense Jun 16 '22 at 20:00
  • Ok, I didn't notice `password_verify()`. One thing to make it straight. `password_hash` doesn't encrypt passwords. It creates a secure hash of the password which you then store in the database instead of the actual password. When the user login's you fetch the hash associated with the account and using `password_verify` you verify that it matches the entered password. Just remove `AND password = ?` and your code should work – Dharman Jun 16 '22 at 20:12
  • @Dharman Okay your explanation clears up a lot of things for me. Thank you so much. I have done it and it's solved the issue – Bruno Jun 16 '22 at 20:20
  • @YourCommonSense I didn't understand why the variable wasn't getting the value of the hash from the database and since I am new to PHP I didn't know which questions to ask right away. I've removed the `AND password = ?` and the $password parameter in the `mysqli_stmt_bind_param()` function and it solved the issue. I apologise for the misunderstanding and thanks for your answer – Bruno Jun 16 '22 at 20:25
  • Read this for clearer understanding: https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords – ADyson Jun 16 '22 at 22:13

0 Answers0