Password Verify function problems getting it working

Have a login and register system most of the process/validations are done through separate php files rather within the 1 file where the forms are built.

As far as I know it’s the password verifying where the issue is. From what I can tell the password hashing works on the register side a user fill details on form the details go to the database and password is hashed there.

So within my process.php page which is from the <form action="process.php" method="post"> for the registration side I have following code:

$Password = $_POST['Password'];
$hash = password_hash($Password, PASSWORD_DEFAULT);
$sql= " INSERT INTO users (Username, Password) VALUES ('$Username', '$hash')";

Within the validation.php which is for the login form action here is where I need help using the password verify function have the same variable stored in this file:

$Password = $_POST['Password'];
if (password_verify($Password, $hash))
$sql= " SELECT * FROM users WHERE Username='".$Username."' and Password='".$Password."' ");

I’m stuck and confused on how to use the password verify function which variables within the validation.php need to use $hash and use $Password. As usually getting “Undefined variable: hash”

  1. Get user record with…
 SELECT * FROM users WHERE Username= :Username 
  1. If record exists check password with…
password_verify($Password, $user['Password'])

$user is record from database. If $user not found - authentication failed.

To clarify this is within my validation.php where the form action for the login.php page is going to.

I have my select query to get the user record which from what I can see my current select query doesn’t need any changes?

Than add underneath the password verify function exactly as you mentioned or do I need to change variables?

You have in your validation.php two params…

$username = $_POST['username'];
$password = $_POST['password'];

At first try to find $user in database (pseudocode)…

$user = $db->query('select * from user where username = :username', ['username' => $username]);

Than if user not found (is null), authentication failed. Otherwise check password with…

password_verify($password, $user['password'])
1 Like

This part wil never work:-

Every time you hash the same password you get a different result with the password_hash function, so you can’t select by password.
Instead you must pull the hashed version from the database and check it using password_verify as @igor_g has shown.


Are there different ways on password hashing and verification according to the build of PHP. Example I’m using MySQLi Object-Oriented is the method still the same.

And still confused on this section?

Password hashing has nothing to do with MySQLi, you can’t use these together as you can not verify a passwort within a statement.

What confusion do you have? @igor_g was showing how you need to run the query with just the username, and the example code shows a PDO prepared statement, supplying both the query and the parameter for that query in array form.

Once you’ve run that query, you retrieve the (hopefully) single row it returns, and use password_verify() to compare the stored password with the password from your user form.

So, to clarify:

When user is created, use password_hash() to store a hashed password, making sure the column is wide enough.
When the user wants to log in, retrieve the password with a query that matches the username, and use password_verify() to compare it to the password from the login form.

1 Like

Think I understand slightly better with your explanation. Also confusion what this part which you’ve explained fairly new to php. So not used PDO just simple querys and than starting to look into SQL Injection but been mainly using MySQLi (for MySQL).

What will the example code be for using MySQLi (for MySQL) for run the query with just the username, supplying both the query and the parameter.

would you mind to try yourself? the examples are pretty clear

I can’t help, I’m afraid, I use PDO.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.