How to make login system with password_verify to work?

Beginners - Learning PHP
#1

Hi,

I am working on PHP/MYSQL register/login system for like a week and iam truly having issue with php password_hash and password_verify function…The register worked and the login with password_verify keeps failing and i do not understand why…Could somebody help out? i really am desperate.

Login part…what i am trying to achieve 1-its check if email is empty or not and if is valid email…2–its check if password is empty or not. 3-if both $email and $password are ok…it makes connection to db… then a-it checks if the email exists in table users, if not it requires to register…b-if the user exists in db, then it verify if the $password is same as passsword in db…if it is valid password…it echoes “valid”…and if not valid password…it echoes “invalide email/password”…that is what i am trying to achieve…

Here i am posting the full code:

db design

[php]id(auto_increment/primary key)
email(unique, varchar)
password(varchar, 255)[/php]

register.php

[php]<?php
$email=$password="";
$emailErr=$passwordErr="";
if (isset($_POST[‘submit’])) {
if (empty($_POST[‘email’])) {
$emailErr=“Enter your email”;
}
elseif (filter_var($_POST[‘email’], FILTER_VALIDATE_EMAIL) === FALSE) {
$emailErr = “Invalid email”;
}
else
{
$email= trim($_POST[‘email’]);
}

if (empty($_POST[‘password’])) {
$passwordErr = “Enter your password”;
}
elseif (strlen($_POST[‘password’]) < 3) {
$passwordErr = “password must 4 length least”;
}
else
{
$password = trim($_POST[‘password’]);
}

// if everything is filled correct connect
if ($email && $password)
{

include_once’connect.php’;

$sql = “SELECT COUNT(users.email) FROM users WHERE email = :email”;

$s = $pdo->prepare($sql);

$s->bindValue(’:email’, $email);

$s->execute();

$result = $s->fetch(PDO::FETCH_NUM);

$resultvalue = $result[0];
//if email exist, stop the script
if ($resultvalue > 0) {

echo “Email already exist”;
exit();
}

// if email not exist insert it
else
{
$sql = “INSERT INTO users (email,password) VALUES (:email, :password)”;
$stmt = $pdo->prepare($sql);
$stmt->bindValue(’:email’, $email);
$stmt->bindValue(’:password’, password_hash($password, PASSWORD_DEFAULT));
$stmt->execute();

    if ($stmt) {
      echo "Values inserted";
      exit();
    }

      else
      {
        echo "Insert values failed";
        exit();
      }

}

}

//if everything is not filled correct connect
else
{
$proceedErr = “Could not proceed”;
}
}//submit

?>

Register page form p label { display: block; }

em
{
color: red;
font-style: normal;
}

<?php if (isset($proceedErr)) { echo $proceedErr; } ?>

Email : <?php if(isset($emailErr)) echo $emailErr;?>

Password : <?php if(isset($passwordErr)) echo $passwordErr;?>

[/php]

login.php

[php]<?php
$emailErr=$passwordErr="";
$email=$password="";

if (isset($_POST[‘submit’])) {
if (empty($_POST[‘email’])) {
$emailErr=“Enter your email”;
}
elseif (filter_var($_POST[‘email’], FILTER_VALIDATE_EMAIL) === FALSE) {
$emailErr = “Enter valid email”;
}
else
{
$email = trim($_POST[‘email’]);
}

if (empty($_POST[‘password’])) {
$passwordErr=“Enter your password”;
}
else
{
$password= trim($_POST[‘password’]);
}

if ($email && $password)
{

include_once’connect.php’;

$sql = “SELECT user_id,email, password FROM users WHERE email = :email”;

$s = $pdo->prepare($sql);

$s->bindValue(’:email’, $email);

$s->execute();

$result = $s->fetch(PDO::FETCH_ASSOC);

$resultvalue = count($result[‘email’]);

print_r($result);

//if email do not exist, stop the script
if ($resultvalue < 1) {

echo “Your email do not exist, please register”;

exit();
}
elseif (password_verify($password, $result[‘password’])) {
echo “valide password / email”;
exit();
}
else
{
echo “InValid email / password”;
exit();
}
}

else
{
 echo "Email / password do not match";
}

}// end submit

?>

Login page form p label { display: block; }

em
{
color: red;
font-style: normal;
}

Email : <?php if(isset($emailErr)) echo $emailErr;?>

Password : <?php if(isset($passwordErr)) echo $passwordErr;?>

[/php]
#2

I copy / pasted your code and table and it seems to work just fine here.

I get “not registered message if I try to login with an unregistered email”

I get “invalid email/password” if I try to login with an invalid password

and I get “valid email/password” when I should

Do you use Docker or Vagrant or similar? If you can recreate it there so we can test on the same system it might be easier to debug.

#3

You named the id, ‘id’, but your query is looking for user_id

#4

seems like I did make a change! man, those redundant duplicate column names… changing what Kevin points out should fix the issue (as I have auto-corrected it, I guess) and it works for me :slight_smile:

#5
Your email do not exist, please register

OP, Messages like that are a security risk.

#6

@JimLM I just caanot believe it…you have not modified my code? you just copy and paste…Because the

problem i have with my code is -when i enter wrong password; the script still output valide email/password- T

That is my concern.i use sublime text and wamp server2.5 with php5.5.12.

#7

[member=46186]Kevin Rubio[/member] which part are you talking about in the code…i cannot find it…the [php]‘id’[/php] you are talkin about…could you please stress that?

#8

I didnt say the problem was with id, it is with user_id

$sql = “SELECT[size=18pt] user_id[/size],email, password FROM users WHERE email = :email”;

There is no user_id column in your database.

I just caanot believe it..you have not modified my code?

He said he modified it.

seems like I did make a change!
#9

[member=46186]Kevin Rubio[/member].ok i see…it is ‘user_id’ instead of ‘id’…i wanted to modify the db…but seems like not possible

#10

Yes its possible, but you dont need to do that. Just change user_id to id in your query.

Sponsor our Newsletter | Privacy Policy | Terms of Service