Which Way Better To Check For Username & Password Correction Out Of These 2

Question

borobhaisab 117 Posting Whiz

1 Year Ago

Hiya,

It seems to me that if I put a condition on

mysqli_stmt_fetch($stmt);

to check if user credentials was ok enough for the data to be fetched, then the whole purpose of using the following function is defeated.

password_verify()

This is what I mean ..

function process_login_form()
{
    //Query DB.
    //Check if User already logined or not.
    mysqli_report(MYSQLI_REPORT_ERROR|MYSQLI_REPORT_STRICT);
    $conn = mysqli_connect("localhost","root","","buzz");
 mysqli_connect("server","user","password","db");

    $stmt = mysqli_stmt_init($conn);
    $sql_count = "SELECT password FROM domains WHERE domain_email = ?";

    if(!mysqli_stmt_prepare($stmt,$sql_count))
    {
        unset_sessions();
        echo 'ERROR 1: Something went wrong. Please try again later!';
    }
    else
    {
        mysqli_stmt_bind_param($stmt,"s",$_SESSION['domain_email']);
        mysqli_stmt_execute($stmt);
        mysqli_stmt_bind_result($stmt,$db_password);
        mysqli_stmt_fetch($stmt);
        if(!mysqli_stmt_fetch($stmt))
        {
            echo __LINE__; echo '<br>';
            'ERROR 2: Fetching failed';
        }

        if(!password_verify(trim($_POST['password']),$db_password)) //Incorrect User Credentials.
        {
            echo __LINE__; echo '<br>';
            mysqli_stmt_close($stmt);
            mysqli_close($conn);

            unset_sessions();
            echo 'ERROR 3: <b>Incorrect User Credentials!</b><br>';
        }
        else //Correct User Credentials.
        {
            header('location: home_Template.php');
        }
    }
}

When I type wrong password, the script ends here:

if(!mysqli_stmt_fetch($stmt))
{
    echo __LINE__; echo '<br>';
    'ERROR 2: Fetching failed';
}

So this part prevents user logging into his account if password is wrong. Therefore, no need to check password with password_verify() if I add a condition on mysqli_stmt_fetch().
So now I conclude that, if I add condition on mysqli_stmt_fetch() then no need for me to check for passowrdcorrection with password_verify(),
And, if I want to check for password correction with password_verify() then no need to add condition on mysqli_stmt_fetch(), like so:

if(!mysqli_stmt_fetch($stmt))
{
    echo __LINE__; echo '<br>';
    'ERROR 2: Fetching failed';
}

And I should just write like this:

mysqli_stmt_fetch($stmt)

Correct or not ?
Anyway, what is the downside of checking for password correction with

if(!mysqli_stmt_fetch($stmt))
{
    echo __LINE__; echo '<br>';
    'ERROR 2: Incorrect User Credentials';
}

rather than with

if(!password_verify(trim($_POST['password']),$db_password)) //Incorrect User Credentials.
{
    echo __LINE__; echo '<br>';
    mysqli_stmt_close($stmt);
    mysqli_close($conn);

    unset_sessions();
    echo 'ERROR 3: <b>Incorrect User Credentials!</b><br>';
}
else //Correct User Credentials.
{
    header('location: home_Template.php');
}

mysqli php

2 Contributors
1 Reply
60 Views
1 Day Discussion Span
Latest Post 1 Year Ago Latest Post by FilipKappa

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

FilipKappa 0 Newbie Poster · Answer 1 · 2023-03-15T08:12:51+00:00

It is recommended to use password_verify() to check for password correctness instead of relying on a condition on mysqli_stmt_fetch() to prevent a user from logging in. This is because mysqli_stmt_fetch() is intended for fetching data from a result set and should not be used for authentication purposes.

Additionally, using password_verify() provides better security as it utilizes a secure hashing algorithm to compare the password entered by the user with the hashed password stored in the database. On the other hand, relying on a condition on mysqli_stmt_fetch() does not provide any hashing mechanism and can be vulnerable to attacks such as SQL injection.