Mot de passe hash return false

Question

J'ai donc un script de connexion simple, mais quand j'ai commencé à crypter des mots de passe et en utilisant password_verify, je semble obtenir le même résultat tout le temps, false. Voici mon script de connexion

<?php 

session_start(); 

$host = "localhost"; 
$user = "root"; 
$pass = "root"; 
$dbname = "users"; 

try{ 
     $con = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);  
    $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
} 
catch(PDOException $e){ 
    echo $e->getMessage(); 
} 
$email = htmlspecialchars($_POST['email'], ENT_QUOTES, 'UTF-8'); 
$pass = htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8'); 


$st = $con->prepare("SELECT * FROM users WHERE email = :email AND password = :pass"); 
$st->bindValue(':email', $email, PDO::PARAM_STR); 
$st->bindValue(':pass', $pass, PDO::PARAM_STR); 
$st->execute(); 

$rows = $st->fetch(PDO::FETCH_NUM); 

if($email === ''){ 
$_SESSION['message1'] = 'Enter a valid email'; 
header('Location: index.php'); 
exit(); 
} 
elseif($pass === ''){ 
$_SESSION['message1'] = 'Enter a valid password'; 
header('Location: index.php'); 
exit(); 
} 
elseif($rows > 0){ 
    $_SESSION['loggedin'] = true; 
$hash = $con->prepare("SELECT password FROM users WHERE email = :email"); 
$hash->bindValue(':email', $email); 
$hash->execute(); 

} 
elseif(password_verify($pass, $hash)){ 
    $name = $con->prepare("SELECT name FROM users WHERE email = :email"); 
    $name->bindValue(':email', $email, PDO::PARAM_STR); 
    $name->execute(); 
    $rows = $name->fetchAll(PDO::FETCH_ASSOC); 
    foreach ($rows as $row) { 
     $_SESSION['name'] = $row['name']; 
    } 
    header('Location: profile.php'); 
    } 
else{ 
    $_SESSION['message1'] = 'Make sure email and password are correct'; 
    header('Location: index.php'); 
    exit(); 
} 
?> 

Aussi est ici comment je chiffrer

$passh = password_hash($pass, PASSWORD_DEFAULT)."\n"; 
    $db = $con->prepare("INSERT INTO users (name, email, password) VALUES (:name, :email, :passh)"); 
    $db->bindValue(':name', $name, PDO::PARAM_STR); 
    $db->bindValue(':email', $email, PDO::PARAM_STR); 
    $db->bindValue(':passh', $passh, PDO::PARAM_STR); 
    $db->execute(); 
    $_SESSION['name'] = $name; 
    $_SESSION['email'] = $email; 
    $_SESSION['loggedin'] = true; 
    header('Location: profile.php'); 
    exit(); 

rapports d'erreur est activé, mais pour une raison son ne fonctionne toujours pas et affiche simplement Make sure email and password are correct, qui viennent de la prochaine instruction else . Des idées? Je suis assez nouveau. De plus, tous les conseils de sécurité seraient super. Merci d'avance.

CODE MISE À JOUR

<?php 

session_start(); 

$host = "localhost"; 
$user = "root"; 
$passw = "root"; 
$dbname = "users"; 

try{ 
    $con = new PDO("mysql:host=$host;dbname=$dbname", $user, $passw); 
    $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
} 
catch(PDOException $e){ 
    echo $e->getMessage(); 
} 
$email = htmlspecialchars($_POST['email'], ENT_QUOTES, 'UTF-8'); 
$pass = htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8'); 



$hash = $con->prepare("SELECT password FROM users WHERE email = :email"); 
$hash->bindValue(':email', $email); 
$hash->execute(); 
$rows1 = $hash->fetchAll(PDO::FETCH_ASSOC); 
foreach ($rows1 as $row1) { 
    $_SESSION['hash'] = $row1['hash']; 
    } 



$st = $con->prepare("SELECT * FROM users WHERE email = :email AND password = :pass"); 
$st->bindValue(':email', $email, PDO::PARAM_STR); 
$st->bindValue(':pass', $pass, PDO::PARAM_STR); 
$st->execute(); 

$rows = $st->fetch(PDO::FETCH_NUM); 

if($email === ''){ 
    $_SESSION['message1'] = 'Enter a valid email'; 
    header('Location: index.php'); 
    exit(); 
} 
elseif($pass === ''){ 
    $_SESSION['message1'] = 'Enter a valid password'; 
    header('Location: index.php'); 
    exit(); 
} 
elseif($rows > 0 || password_verify($pass, $hash)){ 
    $_SESSION['loggedin'] = true; 
    $name = $con->prepare("SELECT name FROM users WHERE email = :email"); 
    $name->bindValue(':email', $email, PDO::PARAM_STR); 
    $name->execute(); 
    $rows = $name->fetchAll(PDO::FETCH_ASSOC); 
    foreach ($rows as $row) { 
     $_SESSION['name'] = $row['name']; 
    } 
    header('Location: profile.php'); 
    } 
else{ 
    $_SESSION['message1'] = 'Make sure email and password are correct'; 
    header('Location: index.php'); 
    exit(); 
} 
?> 

Answer 1

Regardez votre requête une fois de plus:

SELECT password FROM users WHERE email = :email 

Vous sélectionnez le mot de passe de la colonne,

lorsque vous allez chercher la ligne que vous utilisez la champ hash

$_SESSION['hash'] = $row1['hash']; 

Contrairement à vous pensez, votre script n'est pas simple du tout, vous effectuez 3 requêtes sur le même enregistrement, essayez cette approche

$email = $_POST['email']; 
$pass = $_POST['password']; 

if($email === ''){ 
    $_SESSION['message1'] = 'Enter a valid email'; 
    header('Location: index.php'); 
    exit(); 
} 

if($pass === ''){ 
    $_SESSION['message1'] = 'Enter a valid password'; 
    header('Location: index.php'); 
    exit(); 
} 

$query = 'SELECT name, email, password 
      FROM users 
      WHERE email = :email LIMIT 1'; 


$stmt = $con->prepare($query); 
$stmt->bindValue(':email', $email); 
$stmt->execute(); 
$row = $stmt->fetch(PDO::FETCH_ASSOC); 

if(!$row){ 
    $_SESSION['message1'] = 'User does not exist'; 
    header('Location: index.php'); 
    exit(); 
} 

//hashed password from Database 
$hash = $row['password']; 

if(password_verify($pass, $hash)){ 
    $_SESSION['hash'] = $row['password']; 
    $_SESSION['name'] = $row['name']; 
    $_SESSION['email'] = $row['email']; 
    header('Location: profile.php'); 
}else{ 
    $_SESSION['message1'] = 'Make sure email and password are correct'; 
    header('Location: index.php'); 
    exit(); 
}