Can't login, trouble checking password?

Question

Yesterday, I started making my own login+registration form.

 // ...Variable checking... // Final upload if ($errornum == 0){ if (!file_exists("../core/accounts/".$username.".php")) { $password_e = password_hash($password, PASSWORD_DEFAULT, ['cost' => 10]); $myFile = "../core/accounts/".$username.".php"; $fh = fopen($myFile, 'w'); $stringData = "<?php\\n\\$username_u = \\"{$username}\\";\\n\\$password_u = htmlentities(\\"{$password_e}\\", ENT_QUOTES);\\n\\$gender_u = \\"{$gender}\\";\\n\\$birth_day_u = \\"{$birth_day}\\";\\n\\$birth_month_u = \\"{$birth_month}\\";\\n\\$birth_year_u = \\"{$birth_year}\\";\\n\\$status_u = \\"{$status}\\";\\n\\$email_u = \\"{$email}\\";\\n\\$firstname_u = \\"{$firstname}\\";\\n\\$lastname_u = \\"{$lastname}\\";\\n\\$refer_u = \\"{$refer}\\";\\n?>"; fwrite($fh, $stringData); fclose($fh); } else {$username_error.="<div id='error'>Username taken</div>"; $errornum = $errornum + 1;} } 

That's the registration upload thing. What it does: it stores all of the user-entered variables in a file located at core/accounts/user-name.php.

Here's the output of a file generated by the piece of code above:

 // The password is "dummypassword" // The file name, in this case, is "dummyfile.php" <?php $username_u = "dummyfile"; $password_u = htmlentities("$2y$10$1s7uJ4yM5u6KxKdiCh3P0.S/zQRDT4C9DtakCtmJvwR/SxwjVsXzC", ENT_QUOTES); $gender_u = "male"; $birth_day_u = "3"; $birth_month_u = "2"; $birth_year_u = "1977"; $status_u = "single"; $email_u = "dummyemail@gmail.com"; $firstname_u = "dummy"; $lastname_u = "dummy"; $refer_u = "me"; ?> 

As you can see, the password got encrypted by the following 'command':

password_hash($password, PASSWORD_DEFAULT, ['cost' => 10]);

I'm using htmlentities(); to store the special characters contained in the password. And here comes the login script...

 // ...Self explanatory code above... No need to include $submit = trim(stripslashes(strip_tags(($_POST['submit'])))); if(!empty($submit)){ $username = trim(stripslashes(strip_tags(($_POST['username'])))); $password = trim(stripslashes(strip_tags(($_POST['password'])))); if(empty($username) || empty($password)){ $error=true; } else { if (file_exists("core/accounts/".$username.".php")) { include "core/accounts/".$username.".php"; } else {$error=true;} if(password_verify($password, $password_u)){ // Logged in!! $_SESSION['username'] = $username; header("location:home/"); exit; } else {$error=true;} } 

Again, the real interesting part is the following 'command':

if(password_verify($password, $password_u)){

The thing is, it's not working. I can't login. It always tells me I have the wrong password! I know the error must be caused by the commands I mentioned though.

Any tips?

Answer 1

if you are inclined to do what you are doing, but I don't understand it...

change, this....

if(password_verify($password, $password_u)){

to, this...

if(password_verify($password, html_entity_decode($password_u))){