-3

I've created simple registration and login page. The problem occurs when i encrypt the password to store in db, I cant login with the same details i registered with. I've tried to store the password without encrypt it and its works just fine

signin-engine.php

if(isset($_POST['login'])){
    $username = $_REQUEST["username"];
    $pass = $_REQUEST["pass"];

    //$encrypted = password_hash($pass , PASSWORD_BCRYPT);

    $query = "SELECT * FROM account_detail
    WHERE username = '$username' 
    AND password = '$pass'";

    $result = mysqli_query($conn, $query);

    if(mysqli_num_rows($result)>0){
        header('location:status.php');
    } else {
        ?>
        <script>
            alert('Your account has not been registered. Please register an account first.');
            location='register.html'; 
        </script>";
        <?php
    }
}

register-engine.php

<?php
include 'conn/conn.php';

if(isset($_POST['register'])){
    $username = $_REQUEST['username'];
    $pass = $_REQUEST['pass'];

    //$encrypted = password_hash($pass , PASSWORD_BCRYPT);

        $sql = "INSERT INTO account_detail
        (`username`, `password`)
        VALUES ('$username', '$pass')";

        if($conn->query($sql) === TRUE) {
            ?> 
            <script>
                alert('Your registration have been accepted');
                location = 'index.html';
            </script>
            <?php
        } else {
            echo "Error: " . $sql . "<br>" . $conn->error;
        }
    }else {
        ?>
        <script>
            alert('Password didnt match, please try again');
            location = 'register.html';
        </script>
        <?php
    }   
    $conn -> close();
?>
trophē
  • 1
  • 2
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman May 21 '22 at 13:02
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman May 21 '22 at 13:02
  • Never encrypt passwords! Store only securely generated hash of the password. – Dharman May 21 '22 at 13:02

0 Answers0