Issues Verifying Login access with Bcrypt Password Even After calling the verification function

Question

And here's the latest change to my login process. I want to verify if the user's input matches with the hashed password that has been stored in the database.

if(!isset($error)){
        //Use the input username and password and check against 'users' table

        $query = mysql_query("SELECT * FROM users 
        WHERE username = '".mysql_real_escape_string($user_input)."' OR email = '".mysql_real_escape_string($user_input)."' LIMIT 1") 
        or die(mysql_error());
        $count_row = mysql_num_rows($query);
        $row = mysql_fetch_assoc($query);




        if($count_row == 1){
        $hashed_password = $row['password'];
        if(! password_verify($password, $hashed_password)){
            $error[] = "Login failed! Please check your entered email and/or password";
            } else if($row['active'] < 1){
            $error[] = "Account has not been activated.";
            }else if($row['active'] == 1){
            // Do nothing
            } else {
            //write user data into PHP SESSION

This is my latest code. Any help is appreciated. Thanks in advance.

Answer 1

You're hashing the user password with this :

$password = password_hash($password, PASSWORD_BCRYPT);

However, during the login phase, you're doing the following :

$password = strtolower($email) . $password;

Since you're comparing the hashed of two different String, you won't get what you want.