<?php require "db.php"; $data = $_POST; if( isset($data['do_login']) ) { $errors = array(); $user = R::findOne('users', 'login = ?', array($data['login'])); if($user) { if( password_verify( $data['password'], $user->password )) { //$SESSION['logged_user'] = $user; echo '<div style="color: green;">Ну все</div><hr>'; } else { $errors[] = 'pass no?'; } } else { $errors[] = 'no akk'; } } if( ! empty($errors) ) { echo '<div style="color: red;">'.array_shift($errors).'</div><hr>'; } ?> <form action="/login.php" method="POST"> <p> <p><strong>Login</strong>:</p> <input type="text" name="login" value="<?php echo $data['login']; ?>"> </p> <p> <p><strong>pass</strong>:</p> <input type="password" name="password"> </p> <p> <button type="submit" name="do_login">login</button> </p> </form>

I write login where is not from a DB. writes no akk (login is not on the database), I write the login and the password is not correct where on the database. writes pass no (the password is not correct) I write the login and the password is correct. again writes pass no (password is not correct)

object (RedBeanPHP \ OODBBean) # 15 (10) {["properties": protected] => array (5) {["id"] => string (2) "20" ["login"] => string (5 ) "root1" ["password"] => string (30) "$ 2y $ 10 $ 6F ****************" ["pin"] => string (4) " 1234 "[" email "] => string (3)" 123 "} [" __info ": protected] => array (5) {[" type "] => string (5)" users "[" sys.id "] => string (2)" id "[" sys.orig "] => array (5) {[" id "] => string (2)" 20 "[" login "] => string (5) "root1" ["password"] => string (30) "$ 2y $ 10 $ 6 ****************" ["email"] => string (3) "123"} ["tainted"] => bool (false) ["changed"] => bool (false)} ["beanHelper": protected] => object (RedBeanPHP \ BeanHelper \ SimpleFacadeBeanHelper) # 11 (0) {} ["fetchType ": protected] => NULL [" withSql ": protected] => string (0)" "[" withParams ": protected] => array (0) {} [" aliasName ": protected] => NULL [" via ": protected] => NULL [" noLoad ": protected] => bool (false) [" all ": protected] => bool (false)}

this is code

 var_dump($user);
  • check the $ user value and $ user-> password where the hash should be. var_dump ($ user); die; - tcpack4

2 answers 2

Based on this information

["password"] => string (30) "$ 2y $ 10 $ 6F *****************"

I assume that the length of the password field in the user table is 30 characters.

This is not enough to store the hash received from the password_hash () function:

Use the bcrypt algorithm (default as of PHP 5.5.0). Note: This is a rule. For this reason, you can change over time. Therefore, it is possible to expand beyond 60 characters (255 characters).

You should increase the length of the field for storing the hash to 255 characters and regenerate the passwords of all users using the function password_hash ().

PS If the length of the password field at the moment is> = 60 characters, you should find in the code the reason for cutting the password hash to 30 characters.

    The password_verify function compares the password and its hash. In your case, I think you need to compare exactly the coincidence of passwords. Try to replace

     password_verify( $data['password'], $user->password )

    on

     $data['password'] === $user->password
    • one
      More bad advice! ;) - Visman
    • does not work: ( - RootBank
    • How do you save the password to the database? - Sergej