[PHP] strings equal but not equalling?

[LiteTeBoss]

Hello there,
I have this bit of PHP code which grabs a encrypted password from a DB and compares it to what is posted. This sometimes works but mostly won't.

Here's the code for the script (ofcourse without database connection):

$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
               
                if($enc == $row['password']){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

I did echo the Strings and they do equal each other and there is no errors.

Any ideas?

 

[BIOS]

Hello there,
I have this bit of PHP code which grabs a encrypted password from a DB and compares it to what is posted. This sometimes works but mostly won't.

Here's the code for the script (ofcourse without database connection):

$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
             
                if($enc == $row['password']){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

I did echo the Strings and they do equal each other and there is no errors.

Any ideas?

What happens? Also your return statements don't require quotes.

Quoting them just renders them as a string when they are actually boolean
return true|1
return false|0

 

[LiteTeBoss]

What happens? Also your return statements don't require quotes.

the return is string because I was too lazy to check it on the other side to see if its a string or boolean. It always returns false and if I use the '==' it will always return true

 

[BIOS]

the return is string because I was too lazy to check it on the other side to see if its a string or boolean. It always returns false and if I use the '==' it will always return true

$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
              
                if($enc == $row['password']){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

if($row['confirmed'] == "true"){

What is $row['confirmed'], it shouldn't have quotes around true

 

[RastaLulz]

For one, you should NOT be using md5() to hash your passwords, please look into password_hash().

The way you should be verifying credentials is by hashing the password first, and then in your SQL query checking where that email is used, along with the hashed password. I also assume you're setting $_POST['password'] to $password at some point.

 

[LiteTeBoss]

if($row['confirmed'] == "true"){

What is $row['confirmed'], it shouldn't have quotes around true

its stored in the database in as a string
 

For one, you should NOT be using md5() to hash your passwords, please look into password_hash().

The way you should be verifying credentials is by hashing the password first, and then in your SQL query checking where that email is used, along with the hashed password. I also assume you're setting $_POST['password'] to $password at some point.

And what if two have the same password? Also, I tried password_hash() and didn't get on with it as it kept messing up

 

[BIOS]

its stored in the database in as a string
 

And what if two have the same password? Also, I tried password_hash() and didn't get on with it as it kept messing up

Oh, it is?

You say when you echo the md5($_POST['password']) along with the database value, they match?

At which point in the app is it actually returning "FALSE"?

 

[LiteTeBoss]

Oh, it is?

You say when you echo the md5($_POST['password']) along with the database value, they match?

At which point in the app is it actually returning "FALSE"?

That is correct. I have also tried:

$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
                echo $enc." == ".$row['password'];
                if(strcmp($enc, $row['password']) == 0){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

And problems still
 

That is correct. I have also tried:

$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
                echo $enc." == ".$row['password'];
                if(strcmp($enc, $row['password']) == 0){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

And problems still

-- NOTE --
After reuploading the passwords changed when no one has DB access... 86c8119123a202a0391be428399b3fbd (sent) == d41d8cd98f00b204e9800998ecf8427e (db)

 

[BIOS]

That is correct. I have also tried:

$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
                echo $enc." == ".$row['password'];
                if(strcmp($enc, $row['password']) == 0){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

And problems still
 

-- NOTE --
After reuploading the passwords changed when no one has DB access... 86c8119123a202a0391be428399b3fbd (sent) == d41d8cd98f00b204e9800998ecf8427e (db)

What do you mean, the password which you submitted is different to the one stored in the table?

 

[RastaLulz]

its stored in the database in as a string
 

And what if two have the same password? Also, I tried password_hash() and didn't get on with it as it kept messing up

Assuming confirmed means they have confirmed their email, and only one user can have a specific email confirmed, this is how you'd do it:

SELECT * FROM tbl_users WHERE email = :email AND confirmed = 'true' AND password = :hashedPassword

Otherwise, you should probably use something unique like a username.

 

[Ecko]

That is correct. I have also tried:
After reuploading the passwords changed when no one has DB access... 86c8119123a202a0391be428399b3fbd (sent) == d41d8cd98f00b204e9800998ecf8427e (db)

If you're getting different password hashes then the way you are hashing before checking is incorrect. Where's your register script that shows how the password is being hashed?