I'm creating a website, which will require users to register and log in. My choice of password security was Bcrypt (password hashing + salt), and I downloaded ircmaxell's password_compact codehttps://github.com/ircmaxell/password_compat.

After requiring it in my functions file, the password_hash() functions works very well. But the challenge now is to verify a user's password when logging in.
Here's my code for login

if(!isset($error)){
//Use the input username and password and check against 'users' table
				
$query = mysql_query("SELECT * FROM users 
		WHERE username = '".mysql_real_escape_string($user_input)."' OR email = '".mysql_real_escape_string($user_input)."' LIMIT 1" 
		or die(mysql_error());
		$count_row = mysql_num_rows($query);
		$row = mysql_fetch_assoc($query);
				
								
	if($count_row == 1){
	$hashed_password = $row['password'];
	if(!password_verify($password, $hashed_password)){
	$error[] = "Login failed! Please check your entered email and/or password";
	} else if($row['active'] < 1){
	$error[] = "Account has not been activated.";
	}else if($row['active'] == 1){
	// Do nothing
	} else {
	//write user data into PHP SESSION

I don't know what exactly I am doing wrong. Please help.

If the encrypted password is what is stored in the database, then you need to first encrypt the user's input and check the encrypted user input against the database

Sammyskills:
I'm creating a website, which will require users to register and log in. My choice of password security was Bcrypt (password hashing + salt), and I downloaded ircmaxell's password_compact codehttps://github.com/ircmaxell/password_compat.

After requiring it in my functions file, the password_hash() functions works very well. But the challenge now is to verify a user's password when logging in.
Here's my code for login

if(!isset($error)){
//Use the input username and password and check against 'users' table
				
$query = mysql_query("SELECT * FROM users 
		WHERE username = '".mysql_real_escape_string($user_input)."' OR email = '".mysql_real_escape_string($user_input)."' LIMIT 1" 
		or die(mysql_error());
		$count_row = mysql_num_rows($query);
		$row = mysql_fetch_assoc($query);
				
								
	if($count_row == 1){
	$hashed_password = $row['password'];
	if(!password_verify($password, $hashed_password)){
	$error[] = "Login failed! Please check your entered email and/or password";
	} else if($row['active'] < 1){
	$error[] = "Account has not been activated.";
	}else if($row['active'] == 1){
	// Do nothing
	} else {
	//write user data into PHP SESSION

I don't know what exactly I am doing wrong. Please help.

FincoApps:
If the encrypted password is what is stored in the database, then you need to first encrypt the user's input and check the encrypted user input against the database

Thanks for your comment.
If I have to encrypt the user's input, it will return a different hash and salt (even if the inputs are the same). That's the way BCRYPT works.

Oh okay, I just read the SELECT statement well now self. What problem are you having now ?

Sammyskills:


Thanks for your comment.
If I have to encrypt the user's input, it will return a different hash and salt (even if the inputs are the same). That's the way BCRYPT works.

Sammyskills:


Thanks for your comment.
If I have to encrypt the user's input, it will return a different hash and salt (even if the inputs are the same). That's the way BCRYPT works.

if that is really how the bcrypt work, then I think there is no way for you to test if the two are equal.
well, maybe if there's a way to decrypt the already encrypted password, then check the entered password against the decrypted one.
but if there's no way of decrypting, then to the best of my knowledge, there is no actual way of testing true equality

@op, did you not read how to verify a password right on the same page

Verifying Password Hashes

To verify a hash created by password_hash, simply call:

if (password_verify($password, $hash)) {
/* Valid */
} else {
/* Invalid */
}
That's all there is to it.

https://github.com/ircmaxell/password_compat

The writer of the script has given you everything, abeg no disturb boys for here jor unless you no fit read.

So you can be serious ?

dhtml18:
@op, did you not read how to verify a password right on the same page



https://github.com/ircmaxell/password_compat

The write of the script has given you everything, abeg no disturb boys for here jor unless you no fit read.

I have been able to get the password_verify function to work. The challenge was that I was verifying with a different variable.

In my registration page, I had

$password = password_hash($password, PASSWORD_BCRYPT);

And in my login page, I had

password_verify($password, $hashed_password);

So after changing to

$hashed_password = password_hash($password, PASSWORD_BCRYPT);

in my registration page, the password_verify function now works perfectly.

Thank you @FincoApps, @omoelu1 and @dhtml18. I'm very grateful.

FincoApps:
So you can be serious ?

Chisox! what do you people take me for? A comedian or a programmer?

dhtml18:

Chisox! what do you people take me for? A comedian or a programmer?

A mix in between