abcd abcd - 29 days ago 7
PHP Question

form login with password_default is working only after resetting password

i am using below code for register & its working fine.

if (isset($_POST['btn-signup'])) {


$email = trim($_POST['txtemail']);
$upass = password_hash($_POST['txtpass'], PASSWORD_DEFAULT);


form

<input type="email" name="txtemail" />
<input type="password" name="txtpass" />


I am using below code for login, its giving error : Wrong Details [
userEmail , userPass
- db columns ]

if (isset($_POST['btn-login'])) {
try {
$userPass = $_POST["txtpass"] ? : '';
$userLog = $_POST['txtemail'] ? : '';
$conn = new Database();
$stmt = $conn->dbConnection()->prepare("SELECT * FROM tbl_users WHERE userEmail=:email_id");
$stmt->execute(array(":email_id" => $userLog));
$userRow = $stmt->fetch(PDO::FETCH_ASSOC);

if ($stmt->rowCount() == 1) {
if ($userRow['userStatus'] == "Y") {
if (password_verify($userPass, $userRow['userPass'])) {
// if (password_needs_rehash('PASSWORD', PASSWORD_DEFAULT)) {
// $new_pass = password_hash('upass', PASSWORD_DEFAULT);
// Update database
// }
$_SESSION['userSession'] = $userRow['userID'];
$user_login->redirect('profile.php');
} else {
$GLOBALS['errors'][] = 'Wrong Details!';
}
} else {
$GLOBALS['errors'][] = 'This Account is not Activated Go to your Inbox and Activate it.';
}
} else {
$GLOBALS['errors'][] = 'Wrong Details!';
}
} catch (PDOException $ex) {
echo $ex->getMessage();
}
}


but once i reset password through
reset
feature, Login is working fine. but after Registration, login is not working....

var_dump($_POST); gave below result :

array(3) { ["txtemail"]=> string(19) "myemailid@gmail.com" ["txtpass"]=> string(9) "myemailid" ["btn-login"]=> string(0) "" }


i am new to php coding, please help me

Update

complete code for Register

register.php

if (isset($_POST['btn-signup'])) {

$uname = trim($_POST['txtuname']);
$email = trim($_POST['txtemail']);
$upass = password_hash($_POST['txtpass'], PASSWORD_DEFAULT);
$cpass = trim($_POST['txtcpass']);
$code = md5(uniqid(rand()));


$stmt = $reg_user->runQuery("SELECT * FROM tbl_users WHERE userEmail=:email_id");
$stmt->execute(array(":email_id" => $email));
$row = $stmt->fetch(PDO::FETCH_ASSOC);

if ($email == "") {
$error[] = "provide email id !";
} else if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "<b>This is not a valid email address.</b>";
} else if ($stmt->rowCount() > 0) {
$msg = " msg1";

} else {
if ($reg_user->register($uname, $email, $upass, $code)) {
$id = $reg_user->lasdID();
$key = base64_encode($id);
$id = $key;

$message = "msg2";


$subject = "Confirm Registration";

$reg_user->send_mail($email, $message, $subject);
$msg = "msg3";


} else {
echo "sorry , Query could no execute...";
}
}
}


class.php

public function register($uname, $email, $upass, $code)
{
try {
// $password = md5($upass);
// $password = $_POST["upass"];
// $hash = password_hash($upass, PASSWORD_DEFAULT);
$password = password_hash('upass', PASSWORD_DEFAULT);
$stmt = $this->conn->prepare("INSERT INTO tbl_users(userName,userEmail,userPass, tokenCode) ;");
$stmt->execute(array(
":user_name" => $uname,
":user_mail" => $email,
":user_pass" => $password,
":active_code" => $code
));
return $stmt;
} catch (PDOException $ex) {
echo $ex->getMessage();
}
}


reset password code

if(isset($_GET['id']) && isset($_GET['code']))
{
$id = base64_decode($_GET['id']);
$code = $_GET['code'];

$stmt = $user->runQuery("SELECT * FROM tbl_users WHERE userID=:uid AND tokenCode=:token");
$stmt->execute(array(":uid"=>$id,":token"=>$code));
$rows = $stmt->fetch(PDO::FETCH_ASSOC);

if($stmt->rowCount() == 1)
{
if(isset($_POST['btn-reset-pass']))
{
$pass = $_POST['pass'];
$cpass = $_POST['confirm-pass'];

if($cpass!==$pass)
{
$msg = "password does't match";
}
else
{

$password = password_hash($_POST['pass'], PASSWORD_DEFAULT);
$stmt = $user->runQuery("UPDATE tbl_users SET userPass=:upass WHERE userID=:uid");
$stmt->execute(array(":upass"=>$password,":uid"=>$rows['userID']));

$msg = "Password Changed.";
header("refresh:5;index.php");
}
}
}
else
{
$msg = "No Account Found, Try again";

}
}

<input type="password" name="pass" />
<input type="password" name="confirm-pass" />

Answer

This is more than likely the issue,

$password = password_hash('upass', PASSWORD_DEFAULT);

Change it to

$password = password_hash($upass, PASSWORD_DEFAULT);

You are hashing the password "upass" and not the variable passed to the function.


As dicussed below it is better to use the following to further increase security and verify the passwords correctly.

$option = [ 'cost' => 12 ];  // The higher the number the better but does have a time cost for the encryption.
$hashed_password = password_hash( $password, PASSWORD_BCRYPT, $options );

if( password_verify( $password, $hashed_password )
{
  // Login
}
else
{
  // Failed
}

I found a script online that will test the server you are using to find a cost that is acceptable, set the target time you want and it will provide a cost for you

function getOptimalBcryptCostParameter($min_ms = 1000) {
    for ($i = 4; $i < 31; $i++) {
        $options = [ 'cost' => $i ];
        $time_start = microtime(true);
        password_hash("PASSWORD_HERE", PASSWORD_BCRYPT, $options);
        $time_end = microtime(true);
        echo "Time to hash: ".($time_end - $time_start).' with a  cost of '.$i.'<br>';
        if (($time_end - $time_start) * 1000 > $min_ms) {
            return $i;
        }
    }
}
//echo getOptimalBcryptCostParameter(); // prints 12 in my case

As of PHP 7.0 salt is being depreciated, no not use a salt when hashing your passwords.