patternphpMinor
Website user password verification
Viewed 0 times
websiteverificationuserpassword
Problem
I have a login web page where a user enters their email and password and I need to check if:
The password in the DB was hashed with
and is stored in a
Email is set to primary and unique in the DB so there cannot be a duplicate record for this.
To achieve the above I came to the below which works as intended for me.
However, since I am new to this and because of the double DB connection I was wondering if there is a way to shorten or otherwise improve this code.
- the entered email exists in the DB and
- the entered password matches the hashed one from the db.
The password in the DB was hashed with
$pw = password_hash($_POST["pw"], PASSWORD_BCRYPT);and is stored in a
VARCHAR(255) column. Email is set to primary and unique in the DB so there cannot be a duplicate record for this.
To achieve the above I came to the below which works as intended for me.
However, since I am new to this and because of the double DB connection I was wondering if there is a way to shorten or otherwise improve this code.
$email = $_POST["email"];
$pw = $_POST["pw"];
$stmt = $conn->prepare("SELECT email FROM Users WHERE email = ?");
$stmt->bind_param('s', $email);
$stmt->execute();
$result = $stmt->get_result();
if(mysqli_num_rows($result) == 0){
echo "Email has not been registered yet";
}else{
$stmt = $conn->prepare("SELECT pw FROM Users WHERE email = ? LIMIT 1");
$stmt->bind_param('s', $email);
$stmt->execute();
$result = $stmt->get_result();
$pwHashed = $result->fetch_assoc();
if(password_verify($pw, $pwHashed["pw"])){
echo "Password correct";
}else{
echo "Password incorrect";
}
}Solution
You really don't need two queries to do this. You can just use your second query, and if it doesn't return any results, report that. Eg:
Other than this, your code looks good. You use prepared statements, so it's secure, and your style is consistent and easy to read. I would probably write
$stmt = $conn->prepare("SELECT pw FROM Users WHERE email = ? LIMIT 1");
$stmt->bind_param('s', $email);
$stmt->execute();
$result = $stmt->get_result();
if(mysqli_num_rows($result) == 0){
echo "Email has not been registered yet";
}
$pwHashed = $result->fetch_assoc();
if(password_verify($pw, $pwHashed["pw"])){
echo "Password correct";
}else{
echo "Password incorrect";
}Other than this, your code looks good. You use prepared statements, so it's secure, and your style is consistent and easy to read. I would probably write
pw as password as it's more readable, but otherwise everything looks good.Code Snippets
$stmt = $conn->prepare("SELECT pw FROM Users WHERE email = ? LIMIT 1");
$stmt->bind_param('s', $email);
$stmt->execute();
$result = $stmt->get_result();
if(mysqli_num_rows($result) == 0){
echo "Email has not been registered yet";
}
$pwHashed = $result->fetch_assoc();
if(password_verify($pw, $pwHashed["pw"])){
echo "Password correct";
}else{
echo "Password incorrect";
}Context
StackExchange Code Review Q#94528, answer score: 3
Revisions (0)
No revisions yet.