Encrypt password login issue

Question

I am using below code to encrypt user registration password during registration. But the problem is that I can't get login with same password again, I might be because password in DB is different and encrypted and not same as the password user enter.

<?php 
if(isset($_POST['submit'])) {
    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];
    $username = $_POST['username'];
    $email = $_POST['email'];
    $password = $_POST['password'];

    if(!empty($firstname) && !empty($lastname) && !empty($username) && !empty($email) && !empty($password)) {
         $firstname = mysqli_real_escape_string($db_connect, $firstname);
         $lastname  = mysqli_real_escape_string($db_connect, $lastname);
         $username  = mysqli_real_escape_string($db_connect, $username);
         $email     = mysqli_real_escape_string($db_connect, $email);
         $password  = mysqli_real_escape_string($db_connect, $password);

         $sql = "SELECT randsalt FROM user ";

         $select_randsalt_query = mysqli_query($db_connect, $sql);

         if(!$select_randsalt_query) {
             die("Query failed".mysqli_error($db_connect));
         }

         while($row = mysqli_fetch_array($select_randsalt_query)) {
             $salt = $row['randsalt'];

             ///crypt function takes 2 parameter. one from DB 
             ///and other from user input. 
             // $password = crypt($password, $salt);
         }

         $sql_register ="INSERT INTO user(user_firstname, user_lastname, username, user_email, user_password, user_role )";
         $sql_register .="VALUES('{$firstname}', '{$lastname}', '{$username}', '{$email}', '{$password}', 'Unknown' ) ";

         $query_register = mysqli_query($db_connect, $sql_register);

         if(!$query_register) {
             die("Query failed".mysqli_error($db_connect));
         }

         $message = "<h3>Your Registration has been Submitted</h3>";
     } else {
         $message = "<h3>You Can't leave field Empty</h3>";
     }
 } else {
    $message = '';
 }
 ?>

I tried to do something like this in login.php

<?php 
if(isset($_POST['submit'])){

    $Username = $_POST['Username'];
    $Password = $_POST['Password'];

    //To prevent SQL injection and store into new variable
    $Username = mysqli_real_escape_string($db_connect, $Username);
    $Password = mysqli_real_escape_string($db_connect, $Password);

    $sql_login = "SELECT * FROM user WHERE username = '{$Username}' ";

    $query_login = mysqli_query($db_connect, $sql_login);

        if(!$query_login){

            die("Query Failed".mysqli_error($db_connect));
        }


    while($row = mysqli_fetch_assoc($query_login)){
            $username       = $row['username'];
            $user_password  = $row['user_password'];
            $user_firstname = $row['user_firstname'];
            $user_lastname  = $row['user_lastname'];
            $user_email     = $row['user_email'];
            $user_role      = $row['user_role'];
    }

            $Password = crypt($Password, $user_password);

    ///User validation
    if( ($Username === $username && $Password === $user_password) && $user_role === "Admin"){
            //Using session to store information from db
            //Using session from right to left. Right is the variable got from db.

            $_SESSION['USERNAME'] = $username;
            $_SESSION['PASSWORD'] = $user_password ;
            $_SESSION['FIRSTNAME'] = $user_firstname;
            $_SESSION['LASTNAME'] = $user_lastname;
            $_SESSION['EMAIL'] = $user_email;
            $_SESSION['ROLE'] = $user_role;

            header("Location: ../admin/index.php");


        }else{  
            header("Location: ../index.php");
        }
}
?>

but this is not working. Sorry people I just entered to the PHP world and don't have deep understanding.

also make sure the password column is long enough to accomodate the hash. If it isn't, you will need to alter your column's length and start over. If it's a length issue, MySQL will fail silently. — Funk Forty Niner, Jan 03 '16 at 02:27

score 1 · Answer 1 · edited May 23 '17 at 12:04

Welcome to PHP development. Let me make your life a lot easier:

Regardless of what your tutorial/book/friend said, don't escape strings, use prepared statements instead. They're a lot easier to implement safely and your life becomes a heck of a lot easier. (If you rely on escaping, and you remember to escape 2999 out of 3000 parameters a user can control, you're still vulnerable.)
Instead of mucking about with crypt(), just use password_hash() and password_verify().

There are updated guides everywhere that can explain how to use these features better, but http://www.phptherightway.com is the one the community points to the most.

Encrypt password login issue

1 Answers1