I have a problem that I don't know how to validate session I am using password_hash and I have the following code in validation and I haven't been able to validate this is the code
public function login($usuario, $password)
{
$rows = null;
$statement = $this->bd->prepare("SELECT * from usuarios where username =:usuario AND password=:password");
$statement->bindParam(':usuario', $usuario);
$statement->bindParam(':password', $password);
$statement->execute();
if ($statement->rowCount() == 1) {
$result = $statement->fetch();
$_SESSION['nombre'] = $result['nombre_usuario'] . "" . $result['apellido'];
$_SESSION['id'] = $result['id_usuario'];
$_SESSION['tipo_nivel'] = $result['tipo_nivel'];
$_SESSION['estado'] = $result['estatus'];
return "true";
} else {
return "false";
}
}
}
You should not look for the user in the database by password, you should do it by the unique field, in your case I understand that it is
username
, once you have retrieved the user from the database it is when you must usepassword_verify
to check if the password is valid and if so, do what corresponds.Here's a commented example based on your code:
Documentation and links that can help you:
As it says in the PHP documentation,
password_verify ( string $password , string $hash ) : bool
, the functionpassword_verify()
needs two string parameters, the$password
one that is the pure string of the user and the$hash
, which is the one that is stored in the DB, so first it must extract the hash from the DB, I imagine that will be in a column called password , extract that data and send it to the functionpassword_verify ($password(string puro), $hash(el de la DB))
, this will return true , if it matches and false , if it does not match.