I know there are hundreds of questions like this, but I'm going crazy and I can't get it to work, the insert works perfectly.
I have an Android app with which I have a user registration and login. I am doing it with mysqli
Login code:
<?php
include 'DatabaseConfig.php' ;
$con = mysqli_connect($HostName,$HostUser,$HostPass,$DatabaseName);
$username = $_GET["username"];
$Sql_Query = "select id, username, password from usuarios where username = '$username'";
$result = mysqli_query($con,$Sql_Query);
$row = mysqli_fetch_assoc($result);
if(password_verify($_GET["password"], $row['password'])){
while($ro = mysqli_fetch_assoc($result)) {
$response[] = $ro;
}
}
else echo "failed to log in(invalid password)";
?>
Insert code just in case:
<?php
include 'DatabaseConfig.php' ;
$con = mysqli_connect($HostName,$HostUser,$HostPass,$DatabaseName);
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$Sql_Query = "insert into usuarios (username, password, email) values ('" . mysqli_real_escape_string($con, $username) . "', '" . mysqli_real_escape_string($con, $hashed_password) . "', '" . mysqli_real_escape_string($con, $email) . "')";
if(empty($username)){
$result["success"] = "0";
$result["message"] = "ERROR";
echo json_encode($result);
mysqli_close($con);
}
else{
if(mysqli_query($con,$Sql_Query)){
$result["success"] = "1";
$result["message"] = "Registration success";
echo json_encode($result);
mysqli_close($con);
}
else{
$result["success"] = "0";
$result["message"] = "error in Registration";
echo json_encode($result);
mysqli_close($con);
}
}
?>
The insert is perfect for me, in the database the password field is char(60) and the login after I print the data in json to be able to save them in android
There are some security errors in your code, since you are not protecting the values that come from the forms that can cause a SQL INJECTION
As you mention that the code
insert.php
is going well for you, we are not going to touch it, although it would not be bad if you improved it.For part of
login.php
it I see that you are using an unnecessary cycle, or if you could explain to me what you are using it for, it would be quite helpful, here I share with you how it can be improved and probably solved.We will also add more validations to the login to be able to have a better idea of what may be failing when trying to start the session.
I had the same problem and it still didn't work despite making sure my database columns were varchar(255), hashes were 60 chars, and my encoding was UTF-8 all the way through. I'm pretty new to PHP and SQL, so I won't pretend to understand exactly why it worked, but I managed to fix it, so I hope this post helps other people with the same problem.
It turned out that the underlying reason why password_verify() was not verifying my hashes was because I had made a prepared statement using a stored procedure earlier in the script without getting all the query results correctly to clear the buffer, before closing and reopening the connection to perform the following query. Calling next_result() on mysqli_link after closing the statement will ensure that the results are consumed. Also, I was using another prepared statement with a stored procedure to do the password insert, but I still needed to make calls to store_result() and free_result() even though no insert result sets were returned. I guess the combination of these things was corrupting my data somewhere along the line,