I am making a login and registration form and I use password_hash for password encryption, the problem is that when I log in it does not recognize my password and I get the error "the password is incorrect" (a message that I set). In the registration form there are no problems, but maybe it has to do with the error that I have.

Login.php

<?php
include 'connect/config.php';
session_start();
error_reporting(0);

if (isset($_SESSION["user_id"])) {
  header('Location: home');
}

if (isset($_POST["signin"])) {
  $email = mysqli_real_escape_string($conn, $_POST["email"]);
  $password = mysqli_real_escape_string($conn, $_POST["password"]);

  $check_email = mysqli_query($conn, "SELECT id FROM users WHERE email='$email' AND password='$password'");

  if (mysqli_num_rows($check_email) > 0) {
    $row = mysqli_fetch_array($check_email);
    $_SESSION["user_id"] = $row['id'];
    if (password_verify($password, $row['password'])){
        $msg[] = "You have successfully logged in.";
    }
    header('Location: home');
    
  } else {
    $msg[] = "The password or email is incorrect.";
  }
}
?>

Now, if I change the $check_email = mysqli_query($conn, "SELECT id FROM users WHERE email='$email' AND password='$password'"); to $check_email = mysqli_query($conn, "SELECT id, password FROM users WHERE email='$email'"); I can enter the home, but with any password and not the one I registered with.

Registration.php

<?php

include 'connect/config.php';
session_start();
error_reporting(0);

if (isset($_SESSION["user_id"])) {
    header("Location: home");
  }
if (isset($_POST["signup"])) {
    $full_name = mysqli_real_escape_string($conn, $_POST["signup_full_name"]);
    $email = mysqli_real_escape_string($conn, $_POST["signup_email"]);
    $password = mysqli_real_escape_string($conn, $_POST["signup_password"]);
    $cpassword = mysqli_real_escape_string($conn, $_POST["signup_cpassword"]);
    $token = md5(rand());
  
    $check_email = mysqli_num_rows(mysqli_query($conn, "SELECT email FROM users WHERE email='$email'"));
  
    if ($password !== $cpassword) {
      $msg[] = "Passwords do not match";
    } elseif ($check_email > 0) {
      $msg[] = "The email already exists, try another.";
    } else {
      $passHash = password_hash($password, PASSWORD_BCRYPT);
      $sql = "INSERT INTO users (full_name, email, password, token, status) VALUES ('$full_name', '$email', '$passHash', '$token', '0')";
      $result = mysqli_query($conn, $sql);
      if ($result) {

        header('Location: login');

        $_POST["signup_full_name"] = "";
        $_POST["signup_email"] = "";
        $_POST["signup_password"] = "";
        $_POST["signup_cpassword"] = "";
        $msg[] = "Registered user successfully.";
      } else {
        $msg[] = "User registration failed, please try again later.";
      }
    }
}
?>

I hope you can help me.

Review my code but my low level of knowledge in php prevents me from finding the error, I hope you can do it for me, I will thank you

CodePudding user response：

You should not have and password = '$password' in the query. The password in the database is the hashed password, not the same as $password. You should just fetch the row using the email, then use password_verify() to check the password.

You also need to select the password column so you can verify it.

$check_email = mysqli_query($conn, "SELECT id, password FROM users WHERE email='$email'");

You also have problems with your logic. You set the session variable and redirect to home regardless of the password verification. It should be:

$row = mysqli_fetch_array($check_email);
    
if ($row && password_verify($password, $row['password'])){
    $msg[] = "You have successfully logged in.";
    $_SESSION["user_id"] = $row['id'];
    header('Location: home');
} else {
    $msg[] = "The password or email is incorrect.";
}

You also shouldn't escape the password before hashing or verifying it. And of course, if you correctly use prepared statements with parameters, you shouldn't escape anything first.