This question already has an answer here:
I am having some problems with verifying password when users are logging in to my application - this is a work in progress and I am fully aware that the security isn't complete and is open to attack but it isn't published I am testing at the moment.
I have hashed the password using: password_hash($password, PASSWORD_DEFAULT);
I am now looking to verify this but my script seems to fail and I know where but am not sure what I need to change in order for the verification to happen as I have changed from procedural to OOP.
$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);
$query = "SELECT * FROM users WHERE (email = '". $email ."') AND password = '". $password ."'" ;
$result = $con->query($query);
if ($result->num_rows === 1) {
$row = $result->fetch_array(MYSQLI_ASSOC);
if (password_verify($password, $row['password'])) {
$_SESSION['email'] = $email;
$_SESSION['id'] = $id;
$row = mysqli_fetch_assoc($result);
$_SESSION['email'] = $row['email'];
$_SESSION['id'] = $row['id'];
header('Location: ../dashboard/index');
}else{
header('Location: ../index.php?message=Email address or password is incorrect');
}
}
I know that the script is failing inside of the if statement where the verification happens as it serves me a blank page on the login script file (above). I simply echoed out 'hi' to test and it is the session scrip that seems to be the issue here.
</div>
