Authenticating a user using mysqli and password_verify()

  1. Comments (1)

That's extremely popular question on various forums and Stack Overflow. And at the same time it's a very good example that can show you how to use Mysqli properly.

First of all make sure that your passwords are stored in the database using password_hash() function.

Then, given $conn variable contains a valid mysqli instance (here you can see how to connect with mysqli properly), the code to check the password will be as simple as that:

$stmt = $conn->prepare("SELECT * FROM users WHERE email = ?");
$stmt->bind_param("s", $_POST['email']);
$stmt->execute();
$user = $stmt->get_result()->fetch_assoc();

if ($user && password_verify($_POST['pass'], $user['pass']))
{
    // credentials are OK, add user in a session etc...;
} else {
    // login failed;
}

Here we are checking in one condition whether a user exists and whether the password is correct.

Note that is is not advised to provide a distinct error message if a user not found. Just a generic "Credentials are not correct" would be enough. Otherwise it will help a malicious user to find whether a certain email is registered on the site.


Related articles:



Got a question?

I am the only person to hold a gold badge in , and on Stack Overflow and I am eager to show the right way for PHP developers.

Besides, your questions let me make my articles even better, so you are more than welcome to ask any question you have.

Click here to ask!

Latest article:
PHP Error Reporting

SEE ALSO:

Latest comments: