I have a question, after using this stack post to solve a password_verify issue: How to use password_verify function in PHP
Say I have this login form:
<?php
session_start();
if ($_SERVER['REQUEST_METHOD'] == 'GET') { ?>
<form id="signin_frm" name="signinFrm" action="<?php echo htmlentities($_SERVER['SCRIPT_NAME']) ?>" method="post">
<label class="label-first" for="email">Email</label>
<input id="email" type="email" name="login_email" placeholder="Someone@example.com" required>
<label for="pswd">Password</label>
<input id="pswd" type="password" name="login_password" placeholder="Password" required>
<fieldset>
<input class="btn" type="submit" value="Sign-Up">
</fieldset>
</form>
<?php } else {
$email = $_POST['login_email'];
$password = $_POST['login_password'];
$find_pswd = "SELECT password FROM UserLogin WHERE email = '$email';";
$query = mysqli_query($link, $find_pswd);
while ($row = mysqli_fetch_array($query)) {
$user_pass = $row['password'];
$verify_pass = password_verify($password, $user_pass);
}
if ($verify_pass === false) {
echo "Invalid Password";
}
mysqli_free_result($query);
}
?>
If, through the mysql query, I am already retrieving a singular value from the table, why is it necessary to use the While Loop in order for password verification to work (verify_password() returning true)? Is there not a simpler way of doing this?
Prior to implementing the while loop, I had this:
<?php } else {
$email = $_POST['login_email'];
$password = $_POST['login_password'];
$find_pswd = "SELECT password FROM UserLogin WHERE email = '$email';";
$query = mysqli_query($link, $find_pswd);
$pswd_fetch = mysqli_fetch_array($query);
if (password_verify($password, $pswd_fetch) === false) {
echo "Invalid Password";
}
mysqli_free_result($query);
}
?>
Thank you! Aside from this question, feel free to provide any other suggestions in improving this code. I am looking to keep the login fairly simple, as I am only providing the user means to editing information that is not highly sensitive.
NOTE: The password in the database is hashed (BCrypt). Thanks to those who mentioned hashing!