-1

Greeting, Have a basic register/login form and just used password_hash to store hashes in db. Having issue with checking login of the password

Tried not to overcook my brai :)

<?php
    session_start();

    require_once 'conn.php';

    if(ISSET($_POST['login'])){
        if($_POST['user_name'] != "" || $_POST['password'] != ""){
            $username = $_POST['user_name'];
            $password = $_POST['password'];
            $sql = "SELECT * FROM `users` WHERE `user_name`=? AND `password`=? ";
            $query = $conn->prepare($sql);
            $query->execute(array($username,$password));
            $row = $query->rowCount();
            $fetch = $query->fetch();
            if($row > 0) {
                $_SESSION['user'] = $fetch['user_id'];
                header("location: home.php");
            } else{
                echo "<script>alert('Detalii Incorecte'); window.location='login.php'</script>";
            }
        }else{
             "<script>alert('Completeaza tot!'); window.location='login.php'</script>";
        }
    }
?>

OK what i am miissng here this works perfectly when i store plaintext... when i apply pasword_hash , i have diffcultie to "rewrite" my code to match hashed password fom column

B4ub4u
  • 1
  • 1
  • 1
    A 500 error is a generic error message and covers pretty much every single thing that can go wrong with a script. Check your server error logs to find out the exact error message. – aynber Jun 26 '19 at 15:04
  • 1
    The obvious error I see here is that `$hashed` is not created before you try to use it. – aynber Jun 26 '19 at 15:04
  • 1
    Also `$row` is a number, and email should be quoted in a query. – u_mulder Jun 26 '19 at 15:07
  • 1
    Why are you preparing the statement without binding the email? – CD001 Jun 26 '19 at 15:28
  • wow.. tnx for replys.. but too many gaps for me to answer to everyone :D .Anyway, $hashed supposed to be in register file right? there i hahed password. About $row, i thought it will check whatever value contains. Any explanation is welcome. i onsulted the https://www.php.net/manual/en/function.password-verify.php but, honestly i don t get it ....yet. Thank you – B4ub4u Jun 26 '19 at 15:43
  • This code has so many issues I don't know where to start. Enable PHP error reporting and try to fix the obvious ones yourself first. – Dharman Jun 26 '19 at 15:45
  • ok @Dharman, you seems to be the critic here, and i like it. ,I don t need someone to write for me, just give the proper explnation, so i can learn. tnx – B4ub4u Jun 26 '19 at 15:50
  • ok... one error left.. undfined variable hashed... how should i call it? i dn t get it...call from where? i ued it in regiter..pfffff – B4ub4u Jun 26 '19 at 15:57

1 Answers1

-1
<?php

session_start();
require 'conn.php';

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

  if($_SERVER["REQUEST_METHOD"] == "POST"){
    $maile = $_POST["maile"];
    $password = $_POST["password"];

  $con = mysqli_connect('localhost','u3970232106_donat','jesu');

    $query = "SELECT * FROM `users` WHERE `maile` = '$maile'";
    $result = mysqli_query($con, $query);
    $hashed = password_hash($password, PASSWORD_DEFAULT);

         if(password_verify($_POST["password"],$hashed)) {
            header("location: home.php");
}else{
echo 'wrong';
}
}
?>

fixed! ! ! but anyway, in most of posts here, says "NO REQUIRED TO PUT paword_hash IN LOGIN.PHP... That s was all the time ...

B4ub4u
  • 1
  • 1
  • fo off.... how is that posible... it was working perfectly... and now no more.. and no error.. just rdirect me to login...and there wtf – B4ub4u Jun 26 '19 at 16:12
  • You have a SQL injection in this code. Variables `$maile` and `$password` are passed directly to a database. – Michas Jun 26 '19 at 16:22
  • thaks for warning. Project will stay offline, until i will do it properly.Unfortunatly i statrted with old examples, but before PDO or MYSQLI i get dirty with the beggining... and finally, hope to understand better " how it works" – B4ub4u Jun 26 '19 at 20:40