JustThatGuy

Like I said below the reviison I made. You need to change your old passwords to the new passwords. Basically, backup your whole users table and then drop the users table so that you have no records in it. Then you'll have to edit the sign up page too since you're going to be using the password_hash function. Once you get the sign up page working with the password_hash function, then you can sign up with the same username and password like how you had it before. Once that is completed, you can test the login page. It should work since you are moving from a hash algorithm that isn't really a password algorithm to a built-in password algorithm. EDIT: Also, since I went back and looked at the one you modified. You're not doing it right. You don't hash the password on the login page. The only reason why you should be using the password_hash function is if you are inserting it into the database. If you want to compare the two passwords so that they match, you need to use password_verify.

Try this <?php session_start(); error_reporting(E_ALL | E_NOTICE); ini_set('display_errors', 1); require 'connect.php'; // Use $_SERVER['REQUEST_METHOD'] // Here is an article on why you shouldn't use $_POST['submit'] // http://stackoverflow.com/questions/10943060/isset-postsubmit-vs-serverrequest-method-post#comment14373814_10943179 // Read those comments if($_SERVER['REQUEST_METHOD'] == "POST") { $disallowed = "<h1>Your username has disallowed characters!</h1>".PHP_EOL."Please make sure that you have no spaces or characters such as:<h3><li>".PHP_EOL." \"\!\^\$\*\@\#\~ </li></h3>".PHP_EOL."<li><h3>Also make sure that there are no spaces in your username.</h3></li>".PHP_EOL."Thanks, ".PHP_EOL." System Administrator."; $username = $_POST['username']; if(preg_match("#[^\w\b]#", $username)) { echo $disallowed; exit(); } // The above is only needed for the username. By limiting the amount of characters the user can use can result in weak passwords. By allowing them to use such characters !^$*@#, they strengthening their password. You don't need to whitelist these characters because SQL injections does not come from user input, it comes from bad codes. $stmt = $con->prepare("SELECT username, password, status FROM users WHERE username = ?"); // Just only need the username so we can verify the password $stmt->bind_param("s", $username); // Bind the variables so there won't be any SQL injections $stmt->execute(); // Executes the query $stmt->store_result(); // Stores the results for later checking // Checks to see if the query has returned a row if($stmt->num_rows) { // The username exists $post_password = $_POST['password']; // We finally check for the password because we only needed the username in the beginning $stmt->bind_result($username, $password, $status); while($stmt->fetch()) if(password_verify($post_password, $password)) { echo "Success!"; // The account exists with the right password } else { echo "Wrong password"; // The wrong password has been typed in } } else { echo "No Account"; // This should be a custom error saying that the account does not exist or something like they have typed int he wrong password and username } } else { ?> <html lang="en"><meta charset="utf-8"><head></head><title>Login to your account!</title> <body> <center> <span style="font-size: 32px; font-weight: bold; font-family: Arial; padding; 10px;"> Please Login </span> </center> <link rel="stylesheet" href="css/login.css" /> <div class="login"> <center> <form action="" method="POST"> <br><br>Username: <br><input type="text" name="username" placeholder="Username" required /> <br><br>Paswsord: <br><input type="password" name="password" placeholder="Password" required /> <br><br><input type="submit" name="submit" value="Login to your account!" /> </center> </div> </form> </body> </html><?php } If you use this, you'll need to redo your whole password algorithm. You'll have to start using password_hash and password_verify.

lol, you're not even doing it right. $stmt = $con->prepare("SELECT username, password FROM users WHERE username = ? AND password = ?"); $stmt->bind_param("ss", $username, $password); $stmt->execute(); $stmt->store_result(); if($stmt->num_rows) { echo "yes"; } else { echo "no"; } You should use store_result instead of get_result and you're using num_rows wrong. If you want to check if the account is banned or not. Find out if the account actually exists first. Then do something like. $stmt = $con->prepare("SELECT username, password, status FROM users WHERE username = ? AND password = ?"); $stmt->bind_param("ss", $username, $password); $stmt->execute(); $stmt->store_result(); if($stmt->num_rows) { $stmt->bind_result($username, $password, $status); while($stmt->fetch()) if($status == 0) { echo "Banned"; } else { echo "regular user"; } } else { echo "no"; } num_rows already checks for the user inputted variables. It's really redundant to use > 0 with num_rows because let's say the user logs in with guest as the username and password as the password. num_rows already checks if those two return a row. Checking to see if the row is greater than 0 is exactly what num_rows already has done. Your problem is that you aren't using PHP correctly and there for, won't allow you to login with what ever you're attempting. If you want to use the built-in password hash, you have to check if the user exists first. Then if the user does exist, take their hashed password from the database and compare it with the password they have entered in using the password_verify function. If the passwords do not match when they actually do match then you are doing something wrong.

Another neglect. http://stackoverflow.com/questions/2580322/is-there-any-harm-in-running-session-start-multiple-times-as-the-page-request Try it ourself. Place 2 session_start right after another. You're going to get an internal error. It will not simply get ignored as you say it does. It will throw you an internal errror until you fix it.

I think you guys are missing the fact that the OP is using PHP wrong. He places session_start(); on every file then includes login.php. The first session is already started on the direct page, but when OP includes the login.php file, the second session_start(); is started which will conflict with the first session. Along with that, you shouldn't be using mysql_* libraries. Switch to mysqli_* or PDO.