Trying to use password_hash and password_verify

General PHP Help
#1

Below is my code to set password and check password on login but it didn’t work. i had password field of varchar(1000). Using MYSQL database
when creating username and password by admin initially password is same as username but in lowercase with dash

$user_name1         = explode(" ", $staff_name);
$user_name2         = implode("-", $user_name1);
$user_name2         = strtolower($user_name2);
$user_pwd = password_hash($user_name2, PASSWORD_DEFAULT);

checking at the time of login

$upass  = mysqli_real_escape_string($conn, $_POST['upass']);
if(password_verify($upass, $stt['staff_upwd']))
{
     ....
}

$upass is the password entered by the user and $stt[‘staff_upwd’] is the stored password from database.
i echo both the passwords it displays different. can anyone spot the mistake which i am not able to understand. should i using base64_encode and base64_decode method with salt key. and in addition pass some random token key at the time of login.
i also tried to remove mysqli_real_escape_string but of no avail.

Regards Himanshoo

#2

Firstly, I’d recommend allowing the user to input their own username and password into the database table. The current approach complicates things and poses significant security risks.

Next, activate PHP error reporting using the following method:

<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
?>

Remember to use this only during development and not on a production server, as displaying errors publicly can expose sensitive information.

#3

It would take seeing ALL the relevant code to be able to even narrow down the possibilities to one or two things to investigate further. What is the full html and php code (less any database credentials) that’s submitting and inserting the data in the registration processing and submitting and testing the values in the login processing.

This should only be used on string data values being put directly into an sql query statement, and even there is should be avoided. You should be using a modern prepared query when suppling external, unknown, dynamic values to an sql query when it gets executed.

#4

when creating user through admin , below is the code:

$staff_name         = mysqli_real_escape_string($conn, $_POST['staff_name']);
	    $staff_address      = mysqli_real_escape_string($conn, $_POST['staff_address']);
	    $staff_city         = mysqli_real_escape_string($conn, $_POST['staff_city']);
	    $staff_contactno    = mysqli_real_escape_string($conn, $_POST['staff_contactno']);
	    $user_name1         = explode(" ", $staff_name);
	    $user_name2         = implode("-", $user_name1);
	    $user_name2         = strtolower($user_name2);
	    
	    $chkuser1 = mysqli_query($conn, "SELECT count(*) as chkcnt FROM tablename WHERE staff_uname = '$user_name2'");
	    $chkuser2 = mysqli_fetch_array($chkuser1);
	    if($chkuser2['chkcnt'] > 0)
	    {
	        $user_name2 = $user_name2 . ($chkuser2['chkcnt'] + 1);
	    }else{
	        $user_name2 = $user_name2;
	    }
	    $user_pwd = password_hash($user_name2, PASSWORD_DEFAULT);
if($staff_name != '')
	    {
	        $st1 = $conn->prepare("INSERT INTO tablename (staff_name, staff_address, staff_city, staff_contactno, staff_uname, staff_upwd) 
	                VALUES (?, ?, ?, ?, ?, ?)");
			$st1->bind_param("ssssss", $staff_name, $staff_address, $staff_city, $staff_contactno, $user_name2, $user_pwd);
			$st1->execute();

at the time of user login, below is the code

$uname  = mysqli_real_escape_string($conn, $_POST['uname']);
		$upass  = $_POST['upass'];
		
		if(isset($_POST['capval']) && $_POST['capval'] != "" && $_SESSION['capcode'] == $_POST['capval'])
		{
		
			$st1   = "SELECT * FROM tablename WHERE staff_uname = '$uname' AND utype = 'Staff'";
    		$st2   = mysqli_query($conn, $st1);
    		$stres = mysqli_num_rows($st2);
    		
    		if($stres > 0)
    		{
    		    $stt = mysqli_fetch_array($st2);
    		    $storeone = $stt['staff_upwd'];
if(password_verify($upass, $storeone))
    		    {
}
#5

thanks for the reply and guidance.
password must be changed by the user when login first time.

Sponsor our Newsletter | Privacy Policy | Terms of Service