[PHP] strings equal but not equalling?

LiteTeBoss

New Member
Jan 17, 2016
8
0
Hello there,
I have this bit of PHP code which grabs a encrypted password from a DB and compares it to what is posted. This sometimes works but mostly won't.

Here's the code for the script (ofcourse without database connection):
PHP:
$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
               
                if($enc == $row['password']){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

I did echo the Strings and they do equal each other and there is no errors.

Any ideas?
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Hello there,
I have this bit of PHP code which grabs a encrypted password from a DB and compares it to what is posted. This sometimes works but mostly won't.

Here's the code for the script (ofcourse without database connection):
PHP:
$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
             
                if($enc == $row['password']){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

I did echo the Strings and they do equal each other and there is no errors.

Any ideas?
What happens? Also your return statements don't require quotes.

Quoting them just renders them as a string when they are actually boolean
return true|1
return false|0
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
the return is string because I was too lazy to check it on the other side to see if its a string or boolean. It always returns false and if I use the '==' it will always return true

PHP:
$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
              
                if($enc == $row['password']){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }
if($row['confirmed'] == "true"){

What is $row['confirmed'], it shouldn't have quotes around true
 

RastaLulz

fight teh power
Staff member
May 3, 2010
3,934
3,933
For one, you should NOT be using md5() to hash your passwords, please look into password_hash().

The way you should be verifying credentials is by hashing the password first, and then in your SQL query checking where that email is used, along with the hashed password. I also assume you're setting $_POST['password'] to $password at some point.
 

LiteTeBoss

New Member
Jan 17, 2016
8
0
if($row['confirmed'] == "true"){

What is $row['confirmed'], it shouldn't have quotes around true
its stored in the database in as a string
 
For one, you should NOT be using md5() to hash your passwords, please look into password_hash().

The way you should be verifying credentials is by hashing the password first, and then in your SQL query checking where that email is used, along with the hashed password. I also assume you're setting $_POST['password'] to $password at some point.
And what if two have the same password? Also, I tried password_hash() and didn't get on with it as it kept messing up
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
its stored in the database in as a string
 

And what if two have the same password? Also, I tried password_hash() and didn't get on with it as it kept messing up
Oh, it is?

You say when you echo the md5($_POST['password']) along with the database value, they match?

At which point in the app is it actually returning "FALSE"?
 

LiteTeBoss

New Member
Jan 17, 2016
8
0
Oh, it is?

You say when you echo the md5($_POST['password']) along with the database value, they match?

At which point in the app is it actually returning "FALSE"?
That is correct. I have also tried:
PHP:
$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
                echo $enc." == ".$row['password'];
                if(strcmp($enc, $row['password']) == 0){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

And problems still
 
That is correct. I have also tried:
PHP:
$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
                echo $enc." == ".$row['password'];
                if(strcmp($enc, $row['password']) == 0){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

And problems still
-- NOTE --
After reuploading the passwords changed when no one has DB access... 86c8119123a202a0391be428399b3fbd (sent) == d41d8cd98f00b204e9800998ecf8427e (db)
 

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
That is correct. I have also tried:
PHP:
$stmt = $db->prepare('SELECT confirmed,password FROM tbl_users WHERE email=:email');
        $stmt->bindValue(':email', $email, PDO::PARAM_STR);
        $stmt->execute();
        if($stmt->rowCount() > 0){
            foreach($stmt->fetchAll(PDO::FETCH_ASSOC) as $row){
                $enc = md5($password);
                echo $enc." == ".$row['password'];
                if(strcmp($enc, $row['password']) == 0){
                    if($row['confirmed'] == "true"){
                        return 'TRUE';
                    }else{
                        return "unconfirmed";
                    }
                }else{
                    return "FALSE";
                }
            }
        }else{
            return "FALSE";
        }

And problems still
 

-- NOTE --
After reuploading the passwords changed when no one has DB access... 86c8119123a202a0391be428399b3fbd (sent) == d41d8cd98f00b204e9800998ecf8427e (db)
What do you mean, the password which you submitted is different to the one stored in the table?
 

RastaLulz

fight teh power
Staff member
May 3, 2010
3,934
3,933
its stored in the database in as a string
 

And what if two have the same password? Also, I tried password_hash() and didn't get on with it as it kept messing up
Assuming confirmed means they have confirmed their email, and only one user can have a specific email confirmed, this is how you'd do it:
Code:
SELECT * FROM tbl_users WHERE email = :email AND confirmed = 'true' AND password = :hashedPassword
Otherwise, you should probably use something unique like a username.
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
That is correct. I have also tried:
After reuploading the passwords changed when no one has DB access... 86c8119123a202a0391be428399b3fbd (sent) == d41d8cd98f00b204e9800998ecf8427e (db)
If you're getting different password hashes then the way you are hashing before checking is incorrect. Where's your register script that shows how the password is being hashed?
 

Users who are viewing this thread

Top