Why my login with php password_verify cannot work?

rebeldeveloper · November 2, 2015, 3:16pm

Hi,

I am doing my login form with password_verify and things are not good…it is like the password_verify is not working…it always says the password is wrong…here is my code and db design…can somebody assist…because i just cannot figure out the issue. Thanks.

[php] id name(char100) email(unique) password(char-255)[/php]

[php] <?php

include_once ‘clean_valeur.inc.php’;

if (isset($_GET[‘connection’])) {

if (isset($_POST[‘submit’])) {

$email="";$password="";$error1="";$error2="";$error3="";

if (empty($_POST[‘email’]))
{
$error1 = “Entrer votre email”;
}
elseif(filter_var($_POST[‘email’], FILTER_VALIDATE_EMAIL)=== FALSE)
{
$error1= “Votre email n’ est pas valide”;
}
else
{
$email = nettoye(($_POST[‘email’]));
}

if (empty($_POST[‘pwd’])) {

$error2 = “Entrer votre mot de passe”;
}

else
{
$password=nettoye(($_POST[‘pwd’]));
}

if ($email =="" OR $password=="") {

$error3= "Votre connection a échoué ";

include_once’Connecter.html.php’;

exit();
}

else
{
include_once"…/includes/connect.inc.php";

try {

$sql = "SELECT * FROM user_registration WHERE email = :email ";

$s = $pdo->prepare($sql);

$s->bindValue(’:email’, $_POST[‘email’]);

$s->execute();

if ($s->rowCount() === 1) {

$row = $s->fetch(PDO::FETCH_ASSOC);

if (password_verify($password, $row[‘password’])) {

  header ("Location:home.html.php");

   exit();
  
    }

}

else
{
echo “Wrong values”;
}

}

catch (PDOException $e)
{

$errorinsert = “Une situation inattendu est survenu”.$e->getMessage();

}

}
include_once’connecter.html.php’;

}[/php]

benanamen · November 2, 2015, 3:53pm

Before we go anywhere, can you verify that you are using Php version 5.5.0 or newer. That is the minimum version for password_verify.

Now, forget about your code for a minute and just test your password hash with the code below. Replace the hash with your hash and the password with your password.

[php]<?php
$hash = ‘$2a$12$EjyZQ9F7KJPYpxTW.WqPzu94GAap.l06nLuKd/vwT1kqT6lYT5bzW’;

if (password_verify(‘SAheritage01’, $hash)) {
echo ‘Password is valid!’;
} else {
echo ‘Invalid password.’;
}
?>[/php]

rebeldeveloper · November 2, 2015, 5:48pm

Thanks for the help.

rebeldeveloper · November 2, 2015, 6:45pm

[member=46186]Kevin Rubio[/member]: my php support the password hash and password verify…and the test worked too… But i just keeping having Invalid password…it cannot find the match and i just do not understand that…really pissed me off

benanamen · November 2, 2015, 7:05pm

Post a zip of your current code and an SQl dump of your database so I can test it on my system

astonecipher · November 3, 2015, 12:06am

If the passwords aren’t matching, what is the difference between how they are added to the database ( hash used ) and when you check?

Pretty_Homepages · November 3, 2015, 7:24am

There’s nothing in your code that could tell you that the password is wrong. If [tt]password_verify()[/tt] fails, then you don’t give any feedback at all (which is a bad idea).

What you do have is a check if the user exists. In that case, you print “Wrong values”. So is this the error you’re getting? Then I suspect the [tt]PDOStatement::rowCount()[/tt] check. This method is strictly for [tt]INSERT[/tt], [tt]UPDATE[/tt] and [tt]DELETE[/tt] queries (check the manual). Misusing it for [tt]SELECT[/tt] queries is unreliable and may not work at all.

The extra check is useless, anyway. Just call [tt]PDOStatement::fetch()[/tt]. If it returns an associative array, you know the user exists, otherwise the user doesn’t exist. You should also get rid of the [tt]try[/tt]-[tt]catch[/tt] statement and leave the exception alone. PDO errors are not meant to be seen by users (this is actually dangerous, because it exposes internal information).

So a sanitized version of the code might look like this:
[php]<?php

$userStmt = $pdo->prepare(’
SELECT
password
FROM
user_registration
WHERE
email = :email
');
$userStmt->execute([
‘email’ => $_POST[‘email’],
]);
$user = $userStmt->fetch(PDO::FETCH_ASSOC);

if ($user && password_verify($_POST[‘pwd’], $user[‘password’]))
{
header(‘Location: /home.html.php’);
exit;
}
else
{
echo ‘Incorrect e-mail address or password.’;
}[/php]
Note how the control flow ensures that the user gets proper feedback in any case: If the e-mail address or the password (or both) are wrong, then an error message is displayed.

benanamen · November 3, 2015, 3:46pm

There's nothing in your code that could tell you that the password is wrong.

You must have missed line 62

Pretty_Homepages · November 3, 2015, 5:38pm

I have not, because that’s the line I’m talking about. The check doesn’t tell if the password is incorrect. There’s no [tt]else[/tt] branch, tthe code just keeps running and renders the whole page with no feedback whatsoever.

So when the OP claims to get an error along the lines of “The password is incorrect”, that can’t be true. Either the error message actually comes from the [tt]PDO::rowCount()[/tt] check, or the OP just guesses that there’s a password problem.

My point is: I’m interested in the actual symptoms, not a personal interpretation of the symptons.

benanamen · November 3, 2015, 6:45pm

Yeah, hard for me to get a good read on the site when I have to scroll code. Once I pasted it into my IDE and deleted the fluff, it was much more clear.

rebeldeveloper · November 4, 2015, 9:39pm

First of all, thanks for your reply and help…i have made a form register/login with sha1…it worked great…but I will try again with password hash and verify…to sort it out…

benanamen · November 4, 2015, 10:01pm

It will work great if you want to get hacked. Dont use sha.

astonecipher · November 4, 2015, 10:27pm

My personal favorite,

[php]hash( ‘whirlpool’, $password);[/php]

benanamen · November 4, 2015, 11:15pm

I always use “password” or “123456” for my passwords. No one would ever think I would use something that simple. Practically hack proof. Sometimes I use my birthday. In case I forget my password I can just go to my profile page and see what my birthday is.

astonecipher · November 4, 2015, 11:18pm

Umm, nice to know, but that isn’t what it is. whirlpool is the hash algorithm used.

benanamen · November 4, 2015, 11:19pm

Never heard of it. Have to check it out. What can you tell me about it? I thought it was some joke I didn’t get.

Pretty_Homepages · November 5, 2015, 12:39am

Abusing Whirlpool to hash passwords is a terrible idea and in no way better than MD5, SHA-1 or whatever.

Whirlpool is not a password hash algorithm at all. It’s a rather obscure cryptographic primitive which can be used by algorithm designers to construct message authentication codes, signature algorithms etc. That’s its sole purpose (although I have never seen it actually being used outside of dubious PHP tutorials).

When you hash passwords with it, Whirlpool fails miserably, because even consumer hardware can easily calculate around 1 billion(!) hashes per second (see the benchmarks of the oclHashcat tool). That means the average password has no chance of survival. You might as well have stored it as plaintext. On top of that, Whirlpool lacks even the most basic features of modern password hash algorithms like a cryptographic salt or an adjustable strength. In that regard, it’s little more than a fancy version of MD5.

If you want to store passwords, there are currently only four valid choices:

[ul][li]bcrypt[/li]
[li]scrypt[/li]
[li]Argon2[/li]
[li]PBKDF2[/li][/ul]

For all practical purposes, you want bcrypt.

benanamen · November 5, 2015, 1:43am

I guess I was right, Whirlpool is a joke.

astonecipher · November 5, 2015, 3:45am

Well, I will upgrade the crypto used in future projects and look into SHA3 derivatives.

benanamen · November 5, 2015, 3:49am

You will be current and safe with password_hash and password_verify (Bcrypt)