I'm trying to add Phpass to my website but no matter what I do I can't get the $check boolean to return true to let me actually log in, So far I've managed to encrypt my password with it and store it on the database but checking against it is failing.
<?php
if(isset($_POST['Login'])){
$EM = $_POST['Email'];
// Password from form input
$PW = $_POST["Password"];
// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($PW) > 72) { die("Password must be 72 characters or less"); }
// Just in case the hash isn't found
$stored_hash = "*";
// Retrieve the hash that you stored earlier
$stored_hash = "this is the hash we stored earlier";
// Check that the password is correct, returns a boolean
$check = $hasher->CheckPassword($PW, $stored_hash);
if ($check) {
// passwords matched! show account dashboard or something
$result = $con->query("select * from user where Email='$EM' AND Password='$PW'");
$row = $result->fetch_array(MYSQLI_BOTH);
session_start();
$_SESSION["UserID"] = $row['UserID'];
header('Location: Account.php');
} else {
// passwords didn't match, show an error
header('Location: Fail.php');
}
}
Because I've been trying to add to an existing login I wonder if I have excess code which is just breaking it? Or maybe I just messed it up all together as no matter what I try when logging in the only thing that will load is
header('Location: Fail.php');:|
Thanks in advance!
Edit: Right, I have a register file that saves the hashed password to the database:
if(isset($_POST['Register'])){
session_start();
$FName = $_POST['First_Name'];
$LName = $_POST['Last_Name'];
$Email = $_POST['Email'];
// In this case, the password is retrieved from a form input
$PW = $_POST["Password"];
// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($PW) > 72) { die("Password must be 72 characters or less"); }
// The $hash variable will contain the hash of the password
$hash = $hasher->HashPassword($PW);
if (strlen($hash) >= 20) {
// Store the hash somewhere such as a database
// The code for that is up to you as this tutorial only focuses on hashing passwords
$sql = $con->query("INSERT INTO user (Fname, Lname, Email, Password)Values('{$FName}','{$LName}', '{$Email}', '{$hash}')");
} else {
// something went wrong
}
echo $hash;
// $StorePassword = password_hash($PW, PASSWORD_BCRYPT, array('cost' => 10));
header('Location: Login.php'); //Redirect here when registering
And then I wish to read it from the database, compare it to the password entered etc.
How do I pull that info from the mysqli db to compare it? and hopefully make it work?
This is the tutorial I was following: https://sunnysingh.io/blog/secure-passwords
if(isset($_POST['Login'])){
$EM = $_POST['Email'];
// Password from form input
$PW = $_POST["Password"];
// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($PW) > 72) { die("Password must be 72 characters or less"); }
$result = $con->query("select * from user where Email='$EM'");
$row = $result->fetch_array(MYSQLI_BOTH);
if ($row) {
// Check that the password is correct, returns a boolean
$check = $hasher->CheckPassword($PW, $row['Password']);
if ($check) {
// passwords matched! show account dashboard or something
session_start();
$_SESSION["UserID"] = $row['UserID'];
header('Location: Account.php');
exit;
}
}
// passwords didn't match, show an error
header('Location: Fail.php');
}