Please, is there anyway I can change this code :
$get_user = “select * from users where user_email=‘$user_email’ AND password=SHA2(‘$user_pass’, 512)”;
to :
$get_user = “select * from users where user_email=‘$user_email’ AND password_verify(‘$user_pass’, row[‘password’])”;
thanks.
You should be using prepared statements something like the following
$sql = "SELECT id, hashed_password FROM " . static::$table . " WHERE username =:username LIMIT 1";
$user = static::fetch_by_column_name($sql);
if ($user && password_verify($this->password, $user['hashed_password'])) {
unset($this->password, $user['hashed_password']);
session_regenerate_id(); // prevent session fixation attacks
static::$last_login = $_SESSION['last_login'] = time();
$this->id = $_SESSION['id'] = $user['id'];
header("Location: index.php");
exit();
}
static::$error[] = 'Unable to login in!';
The code was taken from a PHP Class, but the important thing is the query just checks the username via a prepared statement and gets the hashed password stored in the database table. Then you verify the password against the database table. The whole code and more can be found here - phototechguru/Login.php at master · Strider64/phototechguru · GitHub
Wao! this really explains what I am looking for.
Thanks