PrinceJ 0 Report post Posted June 16, 2018 Well, As the title says: MySQL Database stores password of users using default PHP password_hash() function when registering. Now I am not able to find out a way to login using prepared statement to avoid SQL injections, I mean I can't use password_verify as I am not able to fetch user password from database without executing the query. Share this post Link to post Share on other sites
dsonesuk 846 Report post Posted June 16, 2018 ??? You use the username and password value they provided, hash the password value and identify if they both match with those stored in database Share this post Link to post Share on other sites
Ingolme 939 Report post Posted June 16, 2018 The logic is pretty simple and can be done easily with prepared statements. There are many ways to do it, here is one of them: <?php $username = $_POST['username']; $password = $_POST['password']; // Database connection logic. See documentation: // http://php.net/manual/en/pdo.construct.php // $pdo = new PDO(...) $query = $pdo->prepare('SELECT `hashed_password` FROM `users` WHERE `username` = :username LIMIT 1'); $query->bindParam(':username', $username); $query->execute(); $query->bindColumn('hashed_password', $hashed_password); if($query->fetch(PDO::FETCH_BOUND)) { if(password_verify($password, $hashed_password)) { echo 'User is logged in'; } else { echo 'Wrong username or password'; } } else { echo 'Wrong username or password'; } Share this post Link to post Share on other sites
PrinceJ 0 Report post Posted June 17, 2018 OMG, Thanks a lot Ik that was a stupid question, Archive this. Share this post Link to post Share on other sites
