php - PasswordHash check and login

Question

I'm currently experimenting with php and mysql and am trying to create a simple sign up and log in page, using html forms.

So far, I've created a sign up form which takes user information such as, name, email and password.

To store the password securely I've used PHPass which uses a hashing function to encrypt and store the password in my database table.

Up to now, I've been able to take a users submitted password, run the hashing function and store the password onto my table.

The problem I'm having now is how can I then, create a separate HTML form (log in) which takes the users email and password, check the password against the hashed password stored on the table to sign the user into their account.

To save the passwords I have:

require 'phpass/PasswordHash.php'; 

$user_password = ($_POST['password']);   

// Create a secure password 
$hasher = new PasswordHash(10, false); 
$user_password_hashed = $hasher->HashPassword($user_password);

Then, using an SQL query:

$core_customer_insert = "INSERT INTO core_customer_information(firstname, lastname, email, password, activation_code, activated) VALUES ( 
                '".$conn->real_escape_string($first_name)."',
                '".$conn->real_escape_string($last_name)."',
                '".$conn->real_escape_string($email)."',
                '".$conn->real_escape_string($user_password_hashed)."',
                '".$conn->real_escape_string($code)."',
                '0')";

I save the needed information into my table.

I've then created a new .php file which holds scripts used to sign in the user.

HTML for sign-in:

<form action="sign-in-script.php" method="POST"> 
    <table style="width:100%"> 
        <tr> 
            <th><input type="text" name="email" required placeholder="Email" /></th>
            <th><input type="password" name="password" required placeholder="Password" /></th>
            <th> <input class="button" id="sign-in-show" type="submit" value="Sign in" name="submit" /> </th>
        </tr>
    </table>
</form>

My sign-in-script.php then gets the email address and password using POST:

$email = $_POST['email']; 
$user_password = $_POST['password'];

where then I have created an SQL query to check if the email and password match any stored rows in my table:

SELECT * FROM core_customer_information WHERE email='".$email."' AND password='".$user_password."' LIMIT 1

The problem I'm not able to grasp is that, at the moment, my query is checking if the password in the db table matching the password which has been used as $_POST, but obviously wouldn't return any result because it isn't the same as the hashed version of the password stored securely.

I'm not entirely sure the way I am supposed to check the password given from the form against the hashed version on the db table.

The php library used: PHPass

I would appreciate if someone could possibly explain the process in which I would use to solve my problem.

Thanks in advance and sorry the question is so large. I was trying to explain as best I could.

Answer 1

I'd suggest removing the AND clause from the query, and checking the password at a later stage. Like so:

$query = mysqli_query($your_connection, "SELECT username, password FROM users WHERE username = '$username'");

    $result = mysqli_fetch_assoc($query);

    if (mysqli_affected_rows($your_connection) == 1) {
        if (password_verify($password, $result['password'])) {
            return true;
        } else {
            return false;
        }
    } else {
        return false;
    }

edit: the above uses 5.5 password_verify to check whether the hash stored in the database table ($result['password']) matches the password provided ($password)

http://php.net/manual/en/function.password-hash.php