Can't get user input in to password_verify()

Question

here is the login code, I'm trying to get password verify to work but It doesn't want to. It seems like this count($sql->fetchAll()) > 0 is the problem or that I am calling the wrong variable to the password_verify() .

    $signup = isset($_POST['signup'] ) ? $_POST['signup'] : false;
$submit = isset( $_POST['submit'] ) ? $_POST['submit'] : false;
$username = isset( $_POST['username'] ) ? $_POST['username'] : false;
$password = isset( $_POST['password'] ) ? $_POST['password'] : false;

if( $submit && $username && $password ) {

  $sql = $DB_con->prepare( "SELECT * FROM users WHERE user_name=:user_name AND user_pass=:user_pass" );
  $sql->bindParam( ':user_name', $username, PDO::PARAM_STR );
  $sql->bindParam( ':user_pass', $password, PDO::PARAM_STR );
  $check_user=$sql->fetch(PDO::FETCH_ASSOC);
  $success = $sql->execute();
  $verify = password_verify($password, check_user['user_pass']);
    // Successfully logged in!
  if($success && count($sql->fetchAll()) > 0 && $verify) {

    $_SESSION['logged_in'] = true;  
    // Unset errors
    unset($_SESSION['error']);
  }
  else {
    // display an error
    $_SESSION['error'] = 'That user doesn\'t exist'; 
  }
}
else {
  //displays error
  $_SESSION['error'] = 'Please enter all fields';
}
if($signup) {
  header('Location: signup.php');
}
exit;

Here is the signup code

function register($uname,$umail,$upass)
    {

        $DB_con = null;

try
{
     $DB_con = new PDO("mysql:host=$host;dbname=$dbname", "$username" ,"$password");
     $DB_con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e)
{
     echo $e->getMessage();
}   



       try
       {
           $new_password = password_hash($upass, PASSWORD_DEFAULT);

           $stmt = $DB_con->prepare("INSERT INTO users(user_name,user_email,user_pass) 
                                                       VALUES(:uname, :umail, :upass)");

           $stmt->bindparam(":uname", $uname);
           $stmt->bindparam(":umail", $umail);
           $stmt->bindparam(":upass", $new_password);            
           $stmt->execute(); 
           return $stmt; 

       }
       catch(PDOException $e)
       {
           echo $e->getMessage();
       }    

    }

Answer 1

There are several things that needs to be cleaned up with this piece of code.

Let's start with your register() function. There's a clear syntax-error here (where you make the connection), the ""$password" . Then that function don't know what $dbname , $username or $password are (for the connection), these variables aren't in the scope of the function (it can see it). Usually it's better to pass the connection object as a parameter, not create a new object for each time you call the register() function. Modified for that and cleaned a bit, it would look like this

function register($DB_con, $uname ,$umail, $upass) {
    try {
        $new_password = password_hash($upass, PASSWORD_DEFAULT);

        $stmt = $DB_con->prepare("INSERT INTO users (user_name, user_email, user_pass) 
                                                   VALUES (:uname, :umail, :upass)");

        $stmt->bindparam(":uname", $uname);
        $stmt->bindparam(":umail", $umail);
        $stmt->bindparam(":upass", $new_password);            
        return $stmt->execute(); 

    } catch(PDOException $e) {
        echo $e->getMessage();
    }
}

and be used like

register($DB_con, 'Nader', 'example@example.com', 'pa$$w0rd'); // True or false

Then onto your sign-in. This is a little messy, and you're doing a few things wrong. What I've found so far is...

• Fetching after execution
• Selecting WHERE the unhashed password is equal to the hashed one (won't return any rows)
• count($sql->fetchAll()) > 0 will be zero, because you already fetched once, and there will only be one user => this means one row. Fetching one means there are no more to fetch, so fetchAll() is empty!
• You don't need to do any more checks than if ($check_user=$sql->fetch()) to check if there are rows

Corrected and accounted for the points above, your code would look something like this

$signup = isset($_POST['signup']) ? $_POST['signup'] : false;
$submit = isset($_POST['submit']) ? $_POST['submit'] : false;
$username = isset($_POST['username']) ? $_POST['username'] : false;
$password = isset($_POST['password']) ? $_POST['password'] : false;

if ($submit && $username && $password) {
    $sql = $DB_con->prepare("SELECT * FROM users WHERE user_name=:user_name");
    $sql->bindParam(':user_name', $username, PDO::PARAM_STR);
    $sql->execute();

    if ($check_user=$sql->fetch(PDO::FETCH_ASSOC)) {
        if (password_verify($password, $check_user['user_pass'])) {
            $_SESSION['logged_in'] = true;  
            // Unset errors
            unset($_SESSION['error']);
        } else {
            // Invalid password
        }
    } else {
        // No user with that username
    }
} else {
    //displays error
    $_SESSION['error'] = 'Please enter all fields';
}

if ($signup) {
    header('Location: signup.php');
}
exit;

This assumes unique usernames in the DB

There might be more issues which I can't see, which is why you should enable error-reporting by adding

<?php
error_reoprting(E_ALL);
ini_set("display_errors", 1);

at the top of your file (errors shouldn't be displayed like that in a live environment).