使用bCrypt哈希密码登录PHP

Question

Why didn't the other posts help?

Other posts didn't help because one was asking since none worked, despite there are a lot of similar questions.

More details

The thing I want to do is to make a user log in using his password. But, the passwords are hashed using bCrypt in the database.

When I try to enter the real password, it doesn't work and says that the password is incorrect.

But, when I try to enter the hashed password. It says: "Successfully logged in".

How to make it log in using the real password not the hash?!

Code

Login.php

 <form method="post" action="loginsession.php">//login <p>Username <input type="text" name="uid" size="20"> </p> <p>Password <input type="password" name="pwd" size="20"> </p> <p><input type="submit" value="Login" name="login"></p> </form> 

Loginsession.php

  <?php session_start(); include ('dbhandler.php'); $uid = $_POST['uid']; $pwd = $_POST['pwd']; $sql = "SELECT * FROM user WHERE uid='$uid' and pwd='$pwd' "; $result = mysqli_query($conn, $sql); $row = mysqli_fetch_assoc($result); $encrypted_pwd = password_hash($pwd, PASSWORD_DEFAULT); $hash = password_verify($pwd,$encrypted_pwd); $count = mysqli_num_rows($result); if ($count == 1) { echo("Logging in..."); $_SESSION['id'] = $row['id']; $_SESSION['uid'] = $row['uid']; $_SESSION['pwd'] = $row['pwd']; echo("<h1 style='color:green;'>Successfully Logged In"); } else { echo "Your Login Name or Password is invalid"; die(); } ?> 

Answer 1

There was so much wrong that a rewrite was more appropriate:

<?php 
   session_start(); 
   include 'dbhandler.php'; // shouldn't be include './dbhandler.php'; ? 
   $uid = $_POST['uid']; 
   $pwd = $_POST['pwd']; 

   $sql = "SELECT * FROM user WHERE uid='".mysqli_real_escape_string($conn, $uid)."'"; 
   $result = mysqli_query($conn, $sql);
   if (mysqli_num_rows($result) === 1) {
     $row = mysqli_fetch_assoc($result);
     if (password_verify($pwd, $row['pwd'])) {
       $_SESSION['id'] = $row['id']; 
       $_SESSION['uid'] = $row['uid']; 
       $_SESSION['pwd'] = $row['pwd'];
       // redirect to "login success" page would be a better solution
       echo "<h1 style='color:green;'>Successfully Logged In";
     } else {
       echo "Invalid password";
     }
   } else {
     echo "Your login name is invalid";
   }

Answer 2

1. You should never use textual user input as a parameter of your query. This leaves you vulnerable to SQL injection . To prevent that, either use PDO or mysqli_* (but in this case use the appropriate functions to escape the parameters), which are both well documented.

2. You define and execute the query with passing the password as it was. You need to hash the password BEFORE you pass it to the query and pass $encrypted_pwd to the query.

3. I recommend the usage of limit 0, 1 at the end of your query in this case, as that will specify that you are interested only in the very first corresponding row, if exists, so the query will be stopped if the user is found and not continue searching for users. This will optimize your query.

4. Since you do not want to load any particular data related to the user, you only want to find out whether the user exists, you could further optimize your query by replacing select * with select 1 , which will significantly reduce the size of data your RDBMS will have to send in response, as only a number will be returned and not the whole record, possibly with the user's biography.

5. Never ever store a user's password in the session. If for some reason $_SESSION will be outputted to the browser, that will be a serious vulnerability.