How can I fix my php being unable to fetch a username and password from a mySQL database?

Question

I'm trying to make a simple login with a mySQL database. As of right now, I am able to connect to the database just fine, but for whatever reason I cannot for the life of me manage to figure out why it won't accept the data for the username and password (not worried about hashing right now, this is just practice). Each time I type it in it only gives me the error message, and I am trying to use the user 'test' with a password of '123', so I know I'm not spelling it incorrectly. Aside from my error message, it doesn't say anything else is wrong at all. This is what my login looks like currently:

<?php

//Start PHP session

session_start();

require_once("db_config.php");

function sanitize($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

//Check if the form has been submitted

if(strtoupper($_SERVER['REQUEST_METHOD']) === 'POST') {
    if (isset($_POST['pass']) && isset($_POST['user'])) {

        //Predefine variables
        $validationed = false;
        $err_msg = "";

        //Username and password has been submitted by the user
        //Receive and sanitize the submitted information

        $user = sanitize($_POST['user']);
        $passwd = sanitize($_POST['pass']);

        $user = mysqli_real_escape_string($conn, $user);

        $sql = "SELECT * FROM user_logins WHERE username = '$user';";

        $result = mysqli_query($conn, $sql) or die(mysqli_error($conn));
        $row_count=mysqli_num_rows($result);

        //If the record is found, check password.
        if ($row_count > 0) {
            $row = mysqli_fetch_assoc($result);
            if (password_verify($passwd, $row['pass'])) {
                $validationed = true;
            }
        }

        if ($validationed === false) {
            // If the check completes without finding a valid login, set the error message.
            $err_msg = "Invalid Login...Please Try Again";
        } else {
            // redirect to the main page of the website.  
            header("Location: travel.php");
            exit();
        }
    }
} 

else {
    session_destroy();
    session_unset();
    session_start();
}

?>

<body id="LoginForm">

    <div class="container">
      <div class="login-form">
        <div class="main-div">
          <div class="panel">
            <h1>Login</h1>
            <p>Please enter your username and password</p>

          </div>
          <?php
            //If $err_msg is set, display the message
            if(isset($err_msg)) {
              echo('<div class="alert alert-danger" role="alert">');
              echo('  <strong>' . $err_msg . '</strong>');
              echo('</div>');
            }
          ?>

          <form id="Login" action="login.php" method="post">

            <div class="form-group">
              <input type="username" class="form-control" name="user" placeholder="Username">
            </div>
            <div class="form-group">
              <input type="password" class="form-control" name="pass" placeholder="Password">
            </div>
            <button type="submit" class="btn btn-primary" name='submit'>Login</button>
          </form>
        </div>
      </div>
    </div>

  </body>

I am trying to access 'username' and 'pass' from the table 'user_logins'. There's obviously something I've done incorrectly, but I can't seem to pick it out. It would be a great help if someone could look over this and tell me if they see anything wrong! Thank you!

Answer 1

When using password_verify to compare password and hash , you must make sure that the hash value was created using the accompanying function password_hash . These two functions work hand-in-hand.

So either you compare both values directly or store the password in its hashed form into the DB (using password_hash ).

if ($passwd == $row['pass']) {
    $validationed = true;
}