I am having so much trouble trying to figure out why this password_verify isnt working. I wanted to have a basic hash in my user table for passwords. I can save them just fine from the addadmin.php but when I try to login I cant get anything but incorrect username or password. I have been at this for hours and maybe its because im so tired and doing college work at 2 AM, but a pair of fresh eyes may help. Is there something im missing?
addadmin.php
left out unimportant stuff
<body>
<div class="container">
<div class="row" style="height: 50px;"></div>
<div class="row">
<div class="col-2"></div>
<div class="col-8">
<div class="panel" style="width: 100%;">
<div class="paneltitle">
<h3 class="panelupdatetitle">Add an UltraCollective Administrator<h3>
</div>
<div class="panelbackground">
<?php
include "db.php";
if(isset($_POST["submit"])) {
$password = $_POST['pwd'];
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$sql = "INSERT INTO tbladmin (uname, pwd, creator)
VALUES ('".$_POST["username"]."','$hashed_password','$uname')";
if(mysqli_query($con, $sql)) {
$error = "New admin added!";
}
else {
$error = "Error: " . $sql . "<br>" . mysqli_error($con);
}
}
?>
<form action="addadmin.php" method="POST">
<div class="container">
<div class="row">
<?php
echo"$error";
?>
</div>
<div class="row">
<label class="panelupdatecontent">Username</label>
</div>
<div class="row">
<input type="text" id="uname" name="username" style="width: 50%;">
</div>
<div class="row">
<label class="panelupdatecontent">Password</label>
</div>
<div class="row">
<input type="password" id="pwd" name="password" style="width: 50%;">
</div>
<div class="row" style="height: 25px;"></div>
<div class="row">
<div class="col 5">
<button type="submit" name="submit">Add Admin</button>
</div>
</div>
<div class="row" style="height: 25px;"></div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
login.php from index.php POST
<?php
session_start();
include_once 'functions/db.php';
$uname = $_POST['uname'];
$pwd = $_POST['pwd'];
$uname = trim($_POST['uname']);
$pwd = trim($_POST['pwd']);
$query = "SELECT * FROM tbladmin WHERE uname = '$uname'";
$result = mysqli_query($con, $query) or die ("Verification error");
$array = mysqli_fetch_array($result);
if ($result == 1) {
$query2 = "SELECT pwd FROM tbladmin WHERE uname = '$uname'";
$result2 = mysqli_query($con, $query2);
while ($row = mysqli_fetch_assoc($result2)) {
$hash = $row['pwd'];
if (password_verify($pwd, $hash)) {
if ($array['uname'] == $uname){
$_SESSION['uname'] = $uname;
header("Location: home.php");
}
else{
echo '<script language="javascript">';
echo 'alert("Incorrect username or password")';
echo '</script>';
echo '<meta http-equiv="refresh" content="0;url=index.php" />';
}
}
else {
if (password_verify($pwd, $hash) == 1) {
echo "true";
echo "<br>";
}
else {
echo "false";
echo "<br>";
}
**THIS IS WHERE I END UP**
echo $hash;
echo "<br>";
echo "<br>";
echo '<script language="javascript">';
echo 'alert("Incorrect username or password")';
echo '</script>';
//echo '<meta http-equiv="refresh" content="0;url=index.php" />';
}
}
}
else {
//no user?
echo '<script language="javascript">';
echo 'alert("Incorrect username or password")';
echo '</script>';
echo '<meta http-equiv="refresh" content="0;url=index.php" />';
}
?>