I'm in the process of implementing password_verify as part of a login page.
I've started with plaintext to test everything works, which it did, and then have gone through to hash passwords on registration page with password_hash and then add password_verify on the login page.
Passwords are being successfully hashed, which I've checked through PHPMyAdmin, but I can't get my code to work on the registration page to check them.
Below is the code on the login page relating to pulling the row and testing it:
if (empty($error))//if the array is empty , it means no error found
{
$query_check_credentials = "SELECT * FROM members WHERE (Email='$Email') AND Activation IS NULL";
$result_check_credentials = mysqli_query($dbc, $query_check_credentials);
if(!$result_check_credentials){//If the QUery Failed
echo 'Query Failed ';
}
if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull
{ // A match was made.
$row = mysqli_fetch_row($query_check_credentials);
$password = $row[3];
$verify = password_verify($_POST['Password', $password]);
if ($verify) {
$_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
header("Location: page.php");
}
}else
{
$msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
}
Column number 4 is the password in the DB and so in the array, password should be value 3 in the array.
I've spent time looking at examples of it being used but having no luck, any help appreciated!
Full PHP code
<?php
include ('database_connection.php');
if (isset($_POST['formsubmitted'])) {
// Initialize a session:
session_start();
$error = array();//this aaray will store all error messages
if (empty($_POST['e-mail'])) {//if the email supplied is empty
$error[] = 'You forgot to enter your Email ';
} else {
if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {
$Email = $_POST['e-mail'];
} else {
$error[] = 'Your EMail Address is invalid ';
}
}
if (empty($_POST['Password'])) {
$error[] = 'Please Enter Your Password ';
} else {
$Password = $_POST['Password'];
}
if (empty($error))//if the array is empty , it means no error found
{
$query_check_credentials = "SELECT * FROM members WHERE (Email='$Email') AND Activation IS NULL";
$result_check_credentials = mysqli_query($dbc, $query_check_credentials);
if(!$result_check_credentials){//If the QUery Failed
echo 'Query Failed ';
}
if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull
{ // A match was made.
$row = mysqli_fetch_row($query_check_credentials);
$password = $row[3];
$verify = password_verify($_POST['Password', $password]);
if ($verify) {
$_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
header("Location: page.php");
}
}else
{
$msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
}
} else {
echo '<div class="errormsgbox"> <ol>';
foreach ($error as $key => $values) {
echo ' <li>'.$values.'</li>';
}
echo '</ol></div>';
}
if(isset($msg_error)){
echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);
} // End of the main Submit conditional.
?>