mysql - Why is PHP PDO not pulling anything from my database (More specifically the UserPassword Column)

View Original

I want to pull the user's hash (saved under UserPassword) Picture of UserPassword column in DB and run it through password_verify(). The problem is, it doesn't return anything. Here's my code: HTML:

   <div class="userInfo">
      <form method="post">
        <p>Username: </p>
        <input type="text" name="Username" required>
        <p>Password: </p>
        <input type="password" name="Password" required>
        <br><br>
        <input type="submit" name = "submit" value="Log In"></button>
      </form>
    </div>

PHP:

<?php
    if(isset($_POST['submit'])) {
      $tblusername = $_POST['Username'];
      $tblpasswordU = $_POST['Password'];

      $servername = "localhost";
      $username = "mealplan";
      $password = "";
      
      try {
        $conn = new PDO("mysql:host=$servername;dbname=mealplan", $username, $password);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $stmt = $conn->prepare("SELECT UserName FROM tblUsers WHERE UserName = :tblusername");
        $stmt->bindParam(':tblusername', $tblusername);
        $stmt->execute();

        if($stmt->rowCount() > 0){
        }else{
          die("Incorrect Username or Password");
        }
        $stmt = $conn->prepare("SELECT UserPassword FROM tblUsers WHERE UserName = :username");
        $stmt->bindParam(':username', $tblusername);
        $row = $stmt->fetch(PDO::FETCH_ASSOC);
        if (password_verify($tblpasswordU, $row['UserPassword']) == true) {
            echo "Signed in successfully";
        } else {
            die("Incorrect username or password");
        }
      } catch(PDOException $e) {
        echo "<style>.hidden { visibility: visible; } .shown { visibility: hidden; font-size: 0px }</style>";
      }
    }
    ?>

Me echoing the Hash and Username were part of me testing. Here's the output: Incorrect Username or Password [] [123] (123 being my test user)

Quick note: $tblpasswordU is the unverified password the user put in.

Answer

Solution:

The password saved in the database is hashed, so you can't match it directly in the SQL. You need to fetch the password for the username. Then you use password_verify() to check whether the password the user entered hashes to the same thing.

Also, you have to fetch the row from the query.

There's no need to use two queries. Just use one query to test if the username exists and fetch the password.

<?php
if(isset($_POST['submit'])) {
    $tblusername = $_POST['Username'];
    $tblpasswordU = $_POST['Password'];

    $servername = "localhost";
    $username = "mealplan";
    $password = "";
      
    try {
        $conn = new PDO("mysql:host=$servername;dbname=mealplan", $username, $password);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $stmt = $conn->prepare("SELECT UserPassword FROM tblUsers WHERE UserName = :tblusername");
        $stmt->bindParam(':tblusername', $tblusername);
        $stmt->execute();
        $row = $stmt->fetch(PDO::FETCH_ASSOC);
        if (!$row) { // This is just for debugging, in production you shouldn't distinguish wrong username and wrong password
            die("Username not found");
        }
        if ($row && password_verify($tblpasswordU, $row['UserPassword'])) {
            echo "Signed in successfully";
        } else {
            die("Incorrect username or password");
        }
    } catch(PDOException $e) {
        echo "<style>.hidden { visibility: visible; } .shown { visibility: hidden; font-size: 0px }</style>";
    }
}
?>

Source
© 2021
E-mail: contact@webdevask.com
Back to top