1

my password is hashed and saved in database but it is couldn't match it with the password which user is giving in textbox. 

   //form submission 
if(isset($_POST['submit_pwd']))
{ //input form username
 $us = isset($_POST['usr']) ? $_POST['usr'] : '';
   // input for user password
 $passw = isset($_POST['passwd']) ? $_POST['passwd'] : ''; 
  //retreiving vlaues from database  
$sql = "SELECT * FROM adminclient"; 
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
while($row = mysqli_fetch_assoc($result)) {

 $username= $row['username'];
 $password = $row['password'];
   //username and password matches from database 
 if ($us == $username && password_verify($passw, $password) ) { 

    session_start();
    $_SESSION['username']=$_POST['usr'];
    header("location: success.php");    
 }

}echo " <script type='text/javascript'>
 alert('Wrong Username and Password combination');</script> ";
                                    }
}

?>
Bhavesh Lalwani
  • 309
  • 3
  • 6
  • password_verify is a php not user/custom function. I cannot test your code right now since i'm not on a pc but you should check if the username and password are set (print them i.e.). Also you sould only fetch the db row with the username given, so you don't need to loop through the data returned by the query. – TobiasJ Sep 11 '15 at 08:56
  • md5 you used or sha1() ?? – Nana Partykar Sep 11 '15 at 08:58
  • Did you check if `$us` and `$passw` are not empty (data has been passed correctly)? Also you should only fetch one row with the userdata in your query so you don't need to loop through the result. – TobiasJ Sep 11 '15 at 12:25
  • yeah dey r not empty.. – Bhavesh Lalwani Sep 11 '15 at 18:08

1 Answers1

0

You are not converting input password to hashed password. Because, in table Hashed Password is saved. So, you need to convert it. If md5 was used.. Then use $passw=md5($passw);to convert. Or, If sha1 was used then use $passw=SHA1($passw).

//form submission 
if(isset($_POST['submit_pwd']))
    $us = isset($_POST['usr']) ? $_POST['usr'] : '';
    $passw = isset($_POST['passwd']) ? $_POST['passwd'] : ''; 

    $passw=md5($passw); // Change Input Password To md5 Password

    //Check Here It Self in SQL Query
    $sql = "SELECT * FROM adminclient WHERE username='$us' AND password='$passw'";
    $result = mysqli_query($conn, $sql);
    if (mysqli_num_rows($result) > 0) 
    {
        while($row = mysqli_fetch_assoc($result))
        {
                session_start();
                $_SESSION['username']=$_POST['usr'];
                header("location: success.php");    
        }

    }
    else
    {
     echo " <script type='text/javascript'>
     alert('Wrong Username and Password combination');</script> ";
    }
}
?>

Check this SHA1 Password for more details.

Community
  • 1
  • 1
Nana Partykar
  • 10,556
  • 10
  • 48
  • 77