Welcome to WebmasterWorld Guest from 54.166.245.10

Forum Moderators: coopster & jatar k

Login form not working after hashing

     
7:39 pm on Nov 15, 2017 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 19, 2011
posts: 179
votes: 1


Since php has changed, I'm back top square one in some respect. This is likely a very common question, but after two days, I can't find an answer.
I wrote a script to add a new user. It generates a random password that is inserted into the database, then sends an email with the information to the new user. The link in the email goes to a place to update the information with a new password and a security question. Trouble is after the new password is hashed, it doesn't recognize the input when logging in.

Update User script
<?PHP

include('dbconfig.php');

$username=$_POST['username'];
$oldpassword=$_POST['oldpassword'];
$newpassword= password_hash($oldpassword,PASSWORD_DEFAULT);
$security=$_POST['security'];

echo $username."<br />";
echo $newpassword."<br />";
echo $security."<br />";

//check if username and password are correct
$sql="SELECT * FROM users WHERE UserName = '$username' AND Password= '$oldpassword'";

$result= mysqli_query($connection, $sql)or die("Cannot find your login credentials " . mysql1_error());

if(mysqli_num_rows($result) >0)
{
$sql= "UPDATE users SET SecurityQuestion='$security', Password='$newpassword' WHERE UserName='$username'";
$result=mysqli_query($connection, $sql);

echo "Your Data has been Updated!";
exit;

}

else
{
echo("You do not have Admin Crededials. Please see your system administrator.");
exit;
}


?>


Here is the login script:
<?PHP
include('dbconfig.php');

$username=$_POST['username'];
$password=$_POST['password'];
$table="users";
echo $username;
echo $password;


$sql= "SELECT * FROM $table WHERE UserName='$username'";


$result = mysqli_query($connection,$sql);
$row = mysqli_fetch_assoc($result);
echo "stored password is: " . password_verify($password, $row['Password']); This is blank when echoed out. I checked the database and it was indeed changed.
if (password_verify($password, $row['Password']))
{
echo"You're IN!";

}
else
{
echo 'Your entered username or password is incorrect';
}

?>


What am I doing wrong here? Thanks!
10:39 pm on Nov 25, 2017 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7729
votes: 44


No php expert, but the first thing I would do is echo some variables for debugging purposes. For example, if the password is stored on MySQL as a hashed value, you need to hash the user input before comparing it. You could try "echoing" it on the page just to make sure the value on the screen matches the value in MySQL.

Hopefully, someone with more understanding will come along and offer some more help.

Mack.
8:21 pm on Nov 27, 2017 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 19, 2011
posts: 179
votes: 1


I was able to get it working. Part of the problem was I was masking the password input field, which for some reason sent the data through as all asterisks.
Thanks for the help Mack!
12:20 am on Nov 29, 2017 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7729
votes: 44


That's strange browser behaviour!

Glad you were able to get it working.

Mack.
5:54 pm on Nov 29, 2017 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 19, 2011
posts: 179
votes: 1


In this case, it was being sent from a c# script and the UI was masking the input field.