$query = "SELECT * FROM users WHERE id = ?";
$stmt = $pdo->prepare($query);
$stmt->execute([$_POST['id']]);
$user = $stmt->fetchObject();
if ($user && password_verify($_POST['password'], $user->password)) {
return true;
}
return false;
There is information leak here: If you try different user names, it will take a different amount of time depending on if the username is there or not. If
password_verify
takes 0.1 seconds, you can simply measure that difference to determine if the username is valid or not. On average, requests for taken usernames will take longer than those for available ones.
Highly interesting read, worth your time. Be sure to read the whole thing.
(via)