Have a login and register system most of the process/validations are done through separate php files rather within the 1 file where the forms are built.
As far as I know it’s the password verifying where the issue is. From what I can tell the password hashing works on the register side a user fill details on form the details go to the database and password is hashed there.
So within my process.php page which is from the <form action="process.php" method="post"> for the registration side I have following code:
Within the validation.php which is for the login form action here is where I need help using the password verify function have the same variable stored in this file:
$Password = $_POST['Password']; if (password_verify($Password, $hash)) $sql= " SELECT * FROM users WHERE Username='".$Username."' and Password='".$Password."' ");
I’m stuck and confused on how to use the password verify function which variables within the validation.php need to use $hash and use $Password. As usually getting “Undefined variable: hash”
Every time you hash the same password you get a different result with the password_hash function, so you can’t select by password.
Instead you must pull the hashed version from the database and check it using password_verify as @igor_g has shown.
Are there different ways on password hashing and verification according to the build of PHP. Example I’m using MySQLi Object-Oriented is the method still the same.
What confusion do you have? @igor_g was showing how you need to run the query with just the username, and the example code shows a PDO prepared statement, supplying both the query and the parameter for that query in array form.
Once you’ve run that query, you retrieve the (hopefully) single row it returns, and use password_verify() to compare the stored password with the password from your user form.
So, to clarify:
When user is created, use password_hash() to store a hashed password, making sure the column is wide enough.
When the user wants to log in, retrieve the password with a query that matches the username, and use password_verify() to compare it to the password from the login form.
Think I understand slightly better with your explanation. Also confusion what this part which you’ve explained fairly new to php. So not used PDO just simple querys and than starting to look into SQL Injection but been mainly using MySQLi (for MySQL).
What will the example code be for using MySQLi (for MySQL) for run the query with just the username, supplying both the query and the parameter.