'Hashed Password Check Issue
I am working on a Forgot-Password system where users are emailed a ForgotKey code to enter to access a reset password screen. When this ForgotKey is entered into the database, it is hashed. I used a similar system for my signup page and it's working correctly. I copied most of the code over from that system and now I am getting an error that the user's inputted password does not match the hashed password in the database. Am I using the correct password_verify code for this scenario?
$Email = $_SESSION['PWResetEmail'];
$ForgotKey = $_POST['ForgotKey'];
$ForgotKeySQL = "SELECT Email, ForgotKey, ForgotTime, UserID FROM UserTable WHERE Email = ?";
$ForgotKeySTMT = $conn->prepare($ForgotKeySQL);
$ForgotKeySTMT->bind_param("s", $Email);
$ForgotKeySTMT->execute();
$ForgotKeyRESULT = $ForgotKeySTMT->get_result(); // get the mysqli result
while ($ForgotKeyROW = $ForgotKeyRESULT->fetch_assoc()) {
// A: If password matches DO NOT hash, then send user back to forgot.php to retry
$ForgotKeyCheck = password_verify($ForgotKey, $ForgotKeyROW['ForgotKey']);
if ($ForgotKeyCheck == false) { // <----- code is failing here
$ForgotKeySTMT->free_result();
$ForgotKeySTMT->close();
header("Location: ../forgot.php?4");
exit();
}
// A: If password matches hash, then let user pass to next step of forgot password system.
else if ($ForgotKeyCheck == true) { // <---- I want this line to be true
$ForgotTimeFINAL = $ForgotKeyROW['ForgotTime'];
$UserIDTemp = $ForgotKeyROW['UserID'];
$_SESSION['UserIDTemp'] = $UserIDTemp;
$_SESSION['ForgotKey'] = $ForgotKeyROW['ForgotKey'];
$ForgotKeySTMT->free_result();
$ForgotKeySTMT->close();
header("Location: ../forgot.php?3");
exit();
}
else {
$ForgotKeySTMT->free_result();
$ForgotKeySTMT->close();
header("Location: ../forgot.php?2");
exit();
}
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|