[Solved] hello world! implement password_verify

Question

First of all, you only have to use “WHERE username =”. You don’t have to check the password when you do the request.

Secondly, you have to verify the password.

Finally, you should also used prepared statements, it’s more secure.

So, your code should look like this (the code provided may not be usable as is but you can tweak it to get the result that you want and read the doc to understand prepared statements and how password_verify works):

$sql = "SELECT * FROM table2 WHERE username = :username";
$request = $conn->prepare($sql);
$request->execute([":username" => $_POST["username"]]);  
$user = $request->fetchAll()[0];

if(password_verify($_POST["password"], $user->password)){
    //user is logged in
}else{
    //password is wrong
}

Accepted Answer

First of all, you only have to use “WHERE username =”. You don’t have to check the password when you do the request.

Secondly, you have to verify the password.

Finally, you should also used prepared statements, it’s more secure.

So, your code should look like this (the code provided may not be usable as is but you can tweak it to get the result that you want and read the doc to understand prepared statements and how password_verify works):

$sql = "SELECT * FROM table2 WHERE username = :username";
$request = $conn->prepare($sql);
$request->execute([":username" => $_POST["username"]]);  
$user = $request->fetchAll()[0];

if(password_verify($_POST["password"], $user->password)){
    //user is logged in
}else{
    //password is wrong
}