registration / login hashing retrieval issue

Question

This is not a duplicate of when to use quotes and backquotes. my question is how do i integrate the new mysqli and php functions from the password_hash and password_verify from my registration page to my login page.

this is my registration page code:

<?php
require('db.php');

// should add better validation of form submission
if (isset($_POST['username'])) {
    $hash = password_hash($_POST['password'], PASSWORD_BCRYPT, array('cost' => 10));

    $stmt = $con->prepare('INSERT into users (username, password, email, trn_date) VALUES (?, ?, ?, ?)');
    $stmt->bind_param('ssss', $_POST['username'], $hash, $_POST['email'], date("Y-m-d H:i:s"));

    $result = $stmt->execute();

    if($result){
            echo "<div class='content_landing'><div class='form'><h3>You are registered successfully.</h3><p>Click here to <a href='login_page.php'>Login</a></p></div></div>";
        }
    }else{ ?>
<!-- header ends here -->
<!-- ****************************************** -->
<!-- enquiry / newsletter / login / register goes here -->
<div class="container">
</div>
<div class="clear"></div>
<!-- Main page content goes here -->
<div class="content_landing">
<p><div class="form">
<h1>Registration</h1>
<form name="registration" action="" method="post">
<input type="text" name="username" placeholder="Username" required /><br>
<input type="email" name="email" placeholder="Email" required /><br>
<input type="password" name="password" placeholder="Password" required /><br>
<input type="submit" name="submit" value="Register" />
</form>
</div></p>
<?php } ?>
</div>
</div>
<!-- Ends here -->
<!-- ****************************************** -->
<div class="clear"></div>
<!-- *Footer goes here -->
<?php include_once("footer.php");?>
<!-- Footer ends here -->

it seems to work fine as in it is creating users and hashing passwords. I was told by a few people I need to protect this code for SQL injection and have no idea how to do that or where to even add the code.

secondly I am having a problem with integrating this registration password_hash onto my login... apparently, I must add a verify_password or something.

here is my login page:

<?php
    require('db.php');
    // If form submitted, insert values into the database.
    if (isset($_POST['username'])){

        $username = stripslashes($_REQUEST['username']); // removes backslashes
        $username = mysqli_real_escape_string($con,$username); //escapes special characters in a string
        $password = stripslashes($_REQUEST['password']);
        $password = mysqli_real_escape_string($con,$password);

    //Checking is user existing in the database or not
        $query = "SELECT 'username' FROM 'users' WHERE username='?'";
        $result = mysqli_query($con,$query) or die(mysql_error());
        $rows = mysqli_num_rows($result);
        if($rows==1);

        if (password_verify($password, $row['password'])) {

            $_SESSION['username'] = $username;
            header("Location: shows.php"); // Redirect user to index.php
            }else{
                echo "<div class='form'><h3>Username/password is incorrect.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
                }
    }else{
?>
<div class="form">
<h2>Log In to view Prices and Specials</h2>
<form action="" method="post" name="login">
<input type="text" name="username" placeholder="Username" required /><br>
<input type="password" name="password" placeholder="Password" required /><br>
<input name="submit" type="submit" value="Login" />
</form>
<p>Not registered yet? <a href='registration.php'>Register Here</a></p>
</div>
<?php } ?>

I have just started learnig php and mysqli and have only found tutorials and such on the old mysql and md5 hash.

please could i have some assistance to get this working correctly and also if there are definitive guides or tutorials out there please show me the way.

`username='?'` there should be no quote there. Besides, you're not using `prepare()`, so that won't work anyway. Then you've got `mysql_error()` which doesn't mix with `mysqli_*` functions. And you're using singlequotes where there should be none (around table and column names). — Qirel, Jul 16 '17 at 17:03
Also stop messing with the password that the user enters. You run the risk of changing it. Remember you are not storing it on the database, you are just comparing it to the hashed version on your database — RiggsFolly, Jul 16 '17 at 17:08
And again, the point of using prepared and parameterised queries is that you dont need to use `mysqli_real_escape_string()` on the data. It was not a fool proof protection anyway — RiggsFolly, Jul 16 '17 at 17:09
Also not selecting the password you want to verify. There's a lot of issues with the querying too. A **great** place to read, is the PHP manual, you should see the examples here: http://php.net/mysqli-stmt.fetch and http://php.net/password_verify — Qirel, Jul 16 '17 at 17:12
XD thanks guys for the info. ummm gee a lot to take in. how am I messing with the user's password? and also how do I correct my existing code? I read what you all say and have no idea where to begin. — Noobster, Jul 16 '17 at 17:33
Just avoid escaping (`stripslashes()` and `mysqli_real_escape_string()`) before it is really necessary, it should be done a late as possible and only if necessary. Then it is a good habit to let the redirecting `header` follow an `exit`, because the page is loaded anyway otherwise. In another answer I made a small [example](https://stackoverflow.com/a/38422760/575765) of how one can check the password using parametrized queries. — martinstoeckli, Jul 18 '17 at 06:26

registration / login hashing retrieval issue

0 Answers0