php - Trouble matching login password with stored hashed password in database -


i new php , mysql , working on registration/login form project build knowledge bit stuck, hope can help.

i have database on phpmyadmin , registration form searches see if email address exists if not insert information database. works fine. have login form searched email address , password see if matched in database, if log in. worked fine.

my issue came when started learn password salts/hashing. can still register okay when try login details in database doesn't seem match passwords allow me log in.

register.php

 <?php error_reporting(e_all); require 'db_connect.php';  // stores information submitted form via $_post variable  // if request method in form post execute following code (read                 submitted information - send email  , redirect header location // if not post skip code block , show blank contact form if ($_server["request_method"] == "post") {      $fname = trim($_post["fname"]);     $lname = trim($_post["lname"]);     $cname = trim($_post["cname"]);     $email = trim($_post["email"]);     $pass1 = trim($_post["pass1"]);     $pass2 = trim($_post["pass2"]);  // validations   // required fields must entered if ($fname == "" or $lname == "" or $email == "" or $pass1 == "" or $pass2 == "") {     $error_message = "you must fill in required fields.";  }  // password must contain 6 characters min if (strlen($pass1) < 6) {        $error_message = "password must @ least 6 characters long";  } //passwords must match each other if ($pass1 != $pass2) {    $error_message = "passwords not match"; }   // hash , salt password - password_default uses php default hashing algorithm -  // cost expense used generate hash (higher number more secure slower page load)  $password_save = password_hash($pass1 . salt , password_default, array('cost' => 10 ));  // if there's not previous error message run database query if email address entered matches in database. if (!isset ($error_message)){   $query = "select * registration_tbl email = '".$email."'";   $query_run = mysqli_query($dbc, $query);    // if query locates more 0 (i.e 1+) records matching email addresses echo out error   // else insert new form data in database , echo success message         if (mysqli_num_rows($query_run)>0) {        $error_message = "email address ".$email." registered";   } else {     $sql = "insert registration_tbl (first_name,last_name,company_name,email,password,reg_datetime) values ('".$fname."','".$lname."','".$cname."','".$email."','".$password_save."', now())";     $query_run = mysqli_query($dbc, $sql);         echo "registration successful";     } }

login.php

<?php error_reporting(e_all); require 'db_connect.php';  if ($_server["request_method"] == "post") { $email = trim($_post["email"]); $pass = trim($_post["pass"]);      // validations  // both fields must entered log in         if($email == "" or $pass == "") {     $error_message = "both fields must completed "; }  $hashandsalt = password_hash($pass . salt, password_default, array('cost' => 10 ));  // if no error message set - send query database records in registration_tbl email matches 1 in database // if query returns less 1 record (i.e no matches in database) show error message // else if found in database save login details session variables , // redirect logged-in.php page    if (!isset ($error_message)) {     $query = "select * registration_tbl email ='".$email."'";     $query_run = mysqli_query($dbc, $query);     if (mysqli_num_rows($query_run)<1 ){         $error_message = "your login details not match, please double check , try again1";     } else {         while($row = mysqli_fetch_array($query_run)) {         echo ($row['password']) ."<br>";         echo $pass ."<br>";         echo $hashandsalt;              if (password_verify($pass, $hashandsalt)){                 $_session['firstname'] = $row['first_name'];                 $_session['lastname'] = $row['last_name'];                 $_session['email'] = $row['email'];                 $_session['password'] = $row['password'];                 $_session['id'] = $row['id'];                 header("location: logged-in.php");             } else {                 $error_message = "your login details not match, please double check , try again";             }         }     } } } ?>  <div class="wrapper">  <?php  if(!isset ($error_message)) {     echo '<p>please complete log in details </p>';     } else {     echo $error_message;  } ?> <form method="post" action="login.php">     <table>         <tr>             <th>                 <label for="email"> email address </label>             </th>             <td>                 <input type="email" name="email" id="email" value="<?php if(isset($email)) { echo htmlspecialchars($email); } ?>">             </td>         </tr>         <tr>             <th>                 <label for="pass"> password </label>             </th>             <td>                 <input type="password" name="pass" id="pass">             </td>         </tr>      </table>     <input type="submit" value="log in"> </form>

the results of 3 echos have in login.php

echo ($row['password']) ."<br>";

this 1 show hashed password database

        echo $pass ."<br>";

this 1 show whatever password entered 

        echo $hashandsalt;

this 1 shows new hashed password differs each time page refreshed

this query missing not allowing password entered match stored hashed password.

i have scoured internet including number of stack overflow posts can't quite seem figure out have done wrong. first post hope posting enough information you.

any ideas guys?

p.s know need add mysqli_real_escape_string - next job after figuring 1 out :ve

to verify password need check stored password-hash database. there no need call password_hash() in login.php.

login.php

if (password_verify($pass, $row['password']))

also there no need add salt before hashing, function password_hash() add automatically.

register.php

$password_save = password_hash($pass1, password_default, array('cost' => 10 ));

Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more