0

I made a simple register-login service with PHP and MySQL, but when I try to log in, it returns fails even though I entered the correct ID and Password.

I'm not sure but I think password_verify() is the trouble.

The structure of my database is here

idx, int(10), AUTO_INCREMENT
id, varchar(255)
password, varchar(255)
email, varchar(255)

The signup process is here

<?php

    header('Content-Type: text/html; charset=utf-8');

    $conn = mysqli_connect("localhost", "luminous", "***password***", "luminous");
    
    $id = $_POST['id'];
    $hashedPassword = password_hash($_POST['password'], PASSWORD_DEFAULT);
    $email = $_POST['email'];

    $query = "INSERT INTO member (id, password, email) VALUES('$id', '$hashedPassword', '$email')";
    
    $result = mysqli_query($conn, $query);

    if ($result === false)
    {
        echo "Failed to store.";
        echo mysqli_error($conn);
    }
    else
    {
?>
        <script>
            alert("Welcome, you've joined my service.");
            // location.href = "../index.php";
        </script>

<?php

    }

?>

The login process is here

<?php

    header('Content-Type: text/html; charset=utf-8');

    $conn = mysqli_connect("localhost", "luminous", "***password***", "luminous");

    $id = $_POST['id'];
    $password = $_POST['password'];

    $query = "SELECT * FROM member WHERE id ='$id'";
    $result = mysqli_query($conn, $query);

    $row = mysqli_fetch_array($result);
    $hashedPassword = isset($row['password']) ? $row['password'] : false;

    $passwordResult = password_verify($password, $hashedPassword);
    print_r($passwordResult);
    // if ($passwordResult === true)
    if($passwordResult === true)
    {

        session_start();
        $_SESSION['id'] = $row['id'];

    ?>

<script>
    alert("Login successful.")
    location.href = "../index.php";
</script>

<?php

    } else {
    echo "wrong!!!";
?>

<script>
    alert("Login failed.");
    location.href = "../index.php";
</script>

<?php
    }
?>

p.s.) I registered test account for examination, ID - lumes password - lumes email - lumes@lumes.kr. and I checked whether my database returns the right information, but It seems there's no problem with the database because it returned the exact information.

0 : 9
idx : 9
1 : lumes
id : lumes
2 : $2y$10$LSjBJGmNMlyY12RU4NTnked3i26i5o7MIWnJ8slu0Y4FWH84vb6o.
password : $2y$10$LSjBJGmNMlyY12RU4NTnked3i26i5o7MIWnJ8slu0Y4FWH84vb6o.
3 : lumes@lumes.kr
email : lumes@lumes.kr

What I can do fix this problem? I need some help.

Thank you.

(I ask for your understanding even though I am not good at asking questions...!)

Garam Lee
  • 19
  • 7
  • 2
    What message do you get, you have `alert("Failed to login.")` even when it logs in OK. – Nigel Ren Jan 31 '22 at 06:43
  • ah sorry, I wrote my code `successful` to `fail`. Edited my question. But I don't think that's the cause of my problem that I can't log in unconditionally. – Garam Lee Jan 31 '22 at 10:54
  • You are not using a prepared statement. You are passing `$hashedPassword` directly into a double quoted sql string. This will potentially mutate the string. Please practice more modern, secure, and stable querying techniques. – mickmackusa Jan 31 '22 at 11:00
  • Did you see anything in your error logs complaining of undefined variable `$LSjBJGmNMlyY12RU4NTnked3i26i5o7MIWnJ8slu0Y4FWH84vb6o`? – mickmackusa Jan 31 '22 at 11:03
  • I tried to find out why it didn't work for 10 hours and finally solved myself. it was a typo in another HTML file. so `$_POST['password']` got null value and maybe it denied the login procedure... But still, I'm not sure how PHP sends the right hash value even though I sent NULL... anyway be careful of any typing mistake, it's so horrible... – Garam Lee Jan 31 '22 at 11:20

1 Answers1

0

This may help you php password_verify not working with database

Check whether the hash is getting stored in database properly or not. Dump the hash you are getting from database and hashed password and check are they same or not.

Shalini Singh
  • 86
  • 7
  • When a pre-existing page resolves a question, please flag to close as a duplicate (if you can), but do not answer duplicates because this makes it harder for human&non-human content curators to do routine housekeeping. – mickmackusa Jan 31 '22 at 11:05
  • Thank you for answering my question. The hash wasn't getting in my database properly because I kept sending the `NULL` value from my typing mistake. Even though the link you attached was not the same as my problem exactly, it reminded me to check whether the value goes too accurately. Thank you and have a nice day. – Garam Lee Jan 31 '22 at 11:23
  • @GaramLee Glad to know you got your solution. – Shalini Singh Feb 01 '22 at 05:35