PHP Hashed login issue

timeslinky · July 9, 2020, 6:38am

I am having so much trouble trying to figure out why this password_verify isnt working. I wanted to have a basic hash in my user table for passwords. I can save them just fine from the addadmin.php but when I try to login I cant get anything but incorrect username or password. I have been at this for hours and maybe its because im so tired and doing college work at 2 AM, but a pair of fresh eyes may help. Is there something im missing?

addadmin.php
left out unimportant stuff

  <body>
    <div class="container">
      <div class="row" style="height: 50px;"></div>
      <div class="row">
        <div class="col-2"></div>
        <div class="col-8">
          <div class="panel" style="width: 100%;">
            <div class="paneltitle">
              <h3 class="panelupdatetitle">Add an UltraCollective Administrator<h3>
            </div>
            <div class="panelbackground">

              <?php
                include "db.php";

                  if(isset($_POST["submit"])) {
                    $password = $_POST['pwd'];
                    $hashed_password = password_hash($password, PASSWORD_DEFAULT);

                    $sql = "INSERT INTO tbladmin (uname, pwd, creator)
                    VALUES ('".$_POST["username"]."','$hashed_password','$uname')";

                    if(mysqli_query($con, $sql)) {
                      $error = "New admin added!";
                    }
                    else {
                      $error = "Error: " . $sql . "<br>" . mysqli_error($con);
                    }
                  }
              ?>

              <form action="addadmin.php" method="POST">
                <div class="container">
                  <div class="row">
                      <?php 
                        echo"$error";
                      ?>
                    </div>
                  <div class="row">
                    <label class="panelupdatecontent">Username</label>
                  </div>
                  <div class="row">
                    <input type="text" id="uname" name="username" style="width: 50%;">
                  </div>
                  <div class="row">
                    <label class="panelupdatecontent">Password</label>
                  </div>
                  <div class="row">
                    <input type="password" id="pwd" name="password" style="width: 50%;">
                  </div>
                  <div class="row" style="height: 25px;"></div>
                    <div class="row">
                      <div class="col 5">
                        <button type="submit" name="submit">Add Admin</button>
                      </div>
                    </div>
                    <div class="row" style="height: 25px;"></div>
                </div>
              </form>

            </div>
          </div>
        </div>
      </div>
    </div>
  </body>

</html>

login.php from index.php POST

<?php
    session_start();
	
	include_once 'functions/db.php';

	$uname = $_POST['uname'];
    $pwd = $_POST['pwd'];

	$uname = trim($_POST['uname']);
    $pwd = trim($_POST['pwd']);

    $query = "SELECT * FROM tbladmin WHERE uname = '$uname'";
    $result = mysqli_query($con, $query) or die ("Verification error");
    $array = mysqli_fetch_array($result);
    
    if ($result == 1) {
        $query2 = "SELECT pwd FROM tbladmin WHERE uname = '$uname'";
        $result2 = mysqli_query($con, $query2);

        while ($row = mysqli_fetch_assoc($result2)) {
            $hash = $row['pwd'];
            if (password_verify($pwd, $hash)) {
                if ($array['uname'] == $uname){
                    $_SESSION['uname'] = $uname;
                    header("Location: home.php");
                }
                else{
                    echo '<script language="javascript">';
                    echo 'alert("Incorrect username or password")';
                    echo '</script>';
                    echo '<meta http-equiv="refresh" content="0;url=index.php" />';
                }
            }
            else {
                if (password_verify($pwd, $hash) == 1) {
                    echo "true";
                    echo "<br>";
                }
                else {
                    echo "false";
                    echo "<br>";
                }
                **THIS IS WHERE I END UP**
                echo $hash;
                echo "<br>";
                echo "<br>";
                echo '<script language="javascript">';
                echo 'alert("Incorrect username or password")';
                echo '</script>';
                //echo '<meta http-equiv="refresh" content="0;url=index.php" />';
            }
        }
    }
    else {
        //no user?
        echo '<script language="javascript">';
        echo 'alert("Incorrect username or password")';
        echo '</script>';
        echo '<meta http-equiv="refresh" content="0;url=index.php" />';
    }


    
?>

phdr · July 9, 2020, 9:54am

You didn’t mention if you get the ‘true’ or ‘false’ string echoed.

A common issue is a database column that’s not large enough to hold the hashed value, which will truncate the value, so, no future comparison will ever match.

Your code is also lacking in security, you should use a prepared query when supplying external, unknown, dynamic values to the query when it gets executed, and is filled with unnecessary, repetitive, and unused logic and variables.

timeslinky · July 9, 2020, 11:45pm

Hello there,

Thank you for the suggestion about my security. I had been looking at prepared stmts a little and tried my best to implement one into addadmin.php. I’m not sure how I would go about doing it in login.php if that’s possible, I’m still learning how to grab and use information.

Also, for your first question, it seems to be echoing true which is why I’m so confused. Here is my debug code to test what the verification is.

if (password_verify($pwd, $hash) == 1 || true) {

                    echo "true";

                    echo "<br>";

                }

                else if (password_verify($pwd, $hash) == 0 || false) {

                    echo "false";

                    echo "<br>";

                }

                else {

                    echo "No bool?";

                }

EDIT: I just realized in my while fetch_assoc line, where it checks to see if the pass_ver is true, I dont think it knows to check that as I only had…
if (password_verify($pwd, $hash)) {}
I just added this line and it seems to have worked!
if (password_verify($pwd, $hash) == 1 || true) {}

phdr · July 9, 2020, 11:49pm

No. That logic will always be true because you are or’ing with a true value.