php login to mysql encrypted password

Question

I'm trying to setup a php login form into a existing database that i do not want to modify, it seems I've made all the right connections to the DB and the right tables, but the password is encrypted and when i try to login it says "Wrong password. Try again

this is my code

/**
 * log in with post data
 */
private function dologinWithPostData()
{
    // check login form contents
    if (empty($_POST['user_name'])) {
        $this->errors[] = "Username field was empty.";
    } elseif (empty($_POST['user_password'])) {
        $this->errors[] = "Password field was empty.";
    } elseif (!empty($_POST['user_name']) && !empty($_POST['user_password'])) {

        // create a database connection, using the constants from config/db.php (which we loaded in index.php)
        $this->db_connection = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);

        // change character set to utf8 and check it
        if (!$this->db_connection->set_charset("utf8")) {
            $this->errors[] = $this->db_connection->error;
        }

        // if no connection errors (= working database connection)
        if (!$this->db_connection->connect_errno) {

            // escape the POST stuff
            $user_name = $this->db_connection->real_escape_string($_POST['user_name']);

            // database query, getting all the info of the selected user (allows login via email address in the
            // username field)
            $sql = "SELECT nickname, user_email, user_password
                    FROM tbl_users
                    WHERE nickname = '" . $user_name . "' OR user_email = '" . $user_name . "';";
            $result_of_login_check = $this->db_connection->query($sql);

            // if this user exists
            if ($result_of_login_check->num_rows == 1) {

                // get result row (as an object)
                $result_row = $result_of_login_check->fetch_object();

                // using PHP 5.5's password_verify() function to check if the provided password fits
                // the hash of that user's password
                if (password_verify($_POST['user_password'], $result_row->user_password_hash)) {

                    // write user data into PHP SESSION (a file on your server)
                    $_SESSION['nickname'] = $result_row->user_name;
                    $_SESSION['user_email'] = $result_row->user_email;
                    $_SESSION['user_login_status'] = 1;

                } else {
                    $this->errors[] = "Wrong password. Try again.";
                }
            } else {
                $this->errors[] = "This user does not exist.";
            }
        } else {
            $this->errors[] = "Database connection problem.";
        }
    }
}

how can i make this login to the DB since the passwords stored in the DB are encrypted?

Answer 1

Passwords are probably hashed first you must determine which hashing function used at storing passwords at your database. Then you can do it like below i assumed passwords are hashed using md5 which is widely used but exploitable but if password is also salted im afraid you have to learn salt word too else it is next to impossible based on used hashing algorithm. Also using this way to access to database is really vulnerable i really suggest for you to look into PDO .

$sql = "SELECT nickname, user_email, user_password
                FROM tbl_users
                WHERE nickname = '" . $user_name . "' OR user_email = '" . $user_name . "'AND user_password = ''" . md5($user_password)."'";