Jump to content

Error on login

Tom8001

By Tom8001
in PHP Coding Help

 Share

Recommended Posts

Tom8001 Member

Tom8001

Posted
Posted

Hi, well i don't get an error from PHP but it says the username or password is incorrect

 

Login script

<?php

require 'connect.php';
error_reporting(E_ALL | E_NOTICE);
ini_set('display_errors', '1');
ini_set('memory_limit', '-1');
include 'footer.php';

if(isset($_POST['submit'])) {

	session_start();

	if(!$_POST['username'] OR !$_POST['password']) {

		echo "Please make sure you enter both a username and password!";

		exit();

	}

	$username = trim($_POST['username']);
	$password = trim($_POST['password']);
	$username = mysqli_real_escape_string($conn, $_POST['username']);
	$password = mysqli_real_escape_string($conn, $_POST['password']);


	$stmt = $conn->prepare("SELECT username,password,user_level,active FROM usrs_usr WHERE username=? AND password=?");

	$stmt->bind_param("ss", $username, $password);

	$stmt->execute();

	$row = $stmt->fetch();

	$userlevel = $row['user_level'];

	$active = $row['active'];

	if($stmt->num_rows > 0) {

		if($row['user_level'] == 1) {

			$_SESSION['user_level'] = 1;
			$_SESSION['active'] = 1;
			$_SESSION['loggedIn'] = 1;
			echo "<meta http-equiv='refresh' content=0;admin.php>";

			exit();

		} else if($row['user_level'] == -1) {

			$_SESSION['user_level'] = -1;
			$_SESSION['active'] = 0;
			$_SESSION['loggedIn'] = 0;
			echo "<meta http-equiv='refresh' content=0;banned.php>";

			exit();

		}

		$_SESSION['user_level'] = 0;
		$_SESSION['active'] = 1;
		$_SESSION['loggedIn'] = 1;
		echo "<meta http-equiv='refresh' content=0;index.php>";

		exit();

	} else {

		die("#~ Username or password is incorrect ~#");
	}

}
?>
Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

You aren't using mysqli properly and that's probably why. Assuming that the username and password you entered are actually correct, of course.

 

1. Don't use mysqli_real_escape_string() with prepared statements.

2. fetch() does not return an array.

3. You have to bind variables to the result, like you did with $username and $password, and fetch() won't work unless you do that.

 

While I'm here,

4. Don't change PHP settings in your code. Do it in the php.ini itself.

5. !$_POST[*] will make PHP complain if the * does not exist in $_POST.

6. It also does not allow the value "0", which is unlikely yes but you should still not disallow it.

7. Don't store passwords in your database without using password hashing. You need to learn about that from someplace that talks about the password_hash() function.

8. Don't trim() the password. Maybe I want there to be a space at the beginning or end! In fact don't do anything to the password at all (except hashing).

9. Keep in mind that num_rows only works if you (a) call $stmt->store_result(), which you should do, or (b) have fetched rows.

 

There are other things too but let's just take one step at a time.

<?php

// php.ini now has the settings
// * error_reporting = -1
// * display_errors = on
// * memory_limit = -1

if(isset($_POST['submit'], $_POST['username'], $_POST['password'])) {

	session_start();

	if($_POST['username'] == '' or $_POST['password'] == '') {

		echo "Please make sure you enter both a username and password!";

		exit();

	}

	$username = trim($_POST['username']); // it's okay to trim() the username
	$password = $_POST['password'];       // it's not okay to modify the password

	$stmt = $conn->prepare("SELECT user_level, active FROM usrs_usr WHERE username = ? AND password = ?");

	$stmt->bind_param("ss", $username, $password);

	$stmt->execute();
	$stmt->store_result(); // retrieve all the results

	$userlevel = null;
	$active = null; // you aren't actually using this value anywhere...
	$stmt->bind_result($userlevel, $active); // $userlevel gets the `user_level` value, $active gets the `active` value

	$stmt->fetch();

	if($stmt->num_rows > 0) {

		if($userlevel == 1) { // $userlevel was modified during the fetch()

			$_SESSION['user_level'] = 1;
			$_SESSION['active'] = 1;
			$_SESSION['loggedIn'] = 1;
			echo "<meta http-equiv='refresh' content=0;admin.php>";

			exit();

		} else if($userlevel == -1) {

			$_SESSION['user_level'] = -1;
			$_SESSION['active'] = 0;
			$_SESSION['loggedIn'] = 0;
			echo "<meta http-equiv='refresh' content=0;banned.php>";

			exit();

		}

		$_SESSION['user_level'] = 0;
		$_SESSION['active'] = 1;
		$_SESSION['loggedIn'] = 1;
		echo "<meta http-equiv='refresh' content=0;index.php>";

		exit();

	} else {

		die("#~ Username or password is incorrect ~#");
	}

}
?>
Link to comment
Share on other sites
Tom8001 Member

Tom8001

Posted
  • Author
Posted

You aren't using mysqli properly and that's probably why. Assuming that the username and password you entered are actually correct, of course.

 

1. Don't use mysqli_real_escape_string() with prepared statements.

2. fetch() does not return an array.

3. You have to bind variables to the result, like you did with $username and $password, and fetch() won't work unless you do that.

 

While I'm here,

4. Don't change PHP settings in your code. Do it in the php.ini itself.

5. !$_POST[*] will make PHP complain if the * does not exist in $_POST.

6. It also does not allow the value "0", which is unlikely yes but you should still not disallow it.

7. Don't store passwords in your database without using password hashing. You need to learn about that from someplace that talks about the password_hash() function.

8. Don't trim() the password. Maybe I want there to be a space at the beginning or end! In fact don't do anything to the password at all (except hashing).

9. Keep in mind that num_rows only works if you (a) call $stmt->store_result(), which you should do, or (b) have fetched rows.

 

There are other things too but let's just take one step at a time.

<?php

// php.ini now has the settings
// * error_reporting = -1
// * display_errors = on
// * memory_limit = -1

if(isset($_POST['submit'], $_POST['username'], $_POST['password'])) {

	session_start();

	if($_POST['username'] == '' or $_POST['password'] == '') {

		echo "Please make sure you enter both a username and password!";

		exit();

	}

	$username = trim($_POST['username']); // it's okay to trim() the username
	$password = $_POST['password'];       // it's not okay to modify the password

	$stmt = $conn->prepare("SELECT user_level, active FROM usrs_usr WHERE username = ? AND password = ?");

	$stmt->bind_param("ss", $username, $password);

	$stmt->execute();
	$stmt->store_result(); // retrieve all the results

	$userlevel = null;
	$active = null; // you aren't actually using this value anywhere...
	$stmt->bind_result($userlevel, $active); // $userlevel gets the `user_level` value, $active gets the `active` value

	$stmt->fetch();

	if($stmt->num_rows > 0) {

		if($userlevel == 1) { // $userlevel was modified during the fetch()

			$_SESSION['user_level'] = 1;
			$_SESSION['active'] = 1;
			$_SESSION['loggedIn'] = 1;
			echo "<meta http-equiv='refresh' content=0;admin.php>";

			exit();

		} else if($userlevel == -1) {

			$_SESSION['user_level'] = -1;
			$_SESSION['active'] = 0;
			$_SESSION['loggedIn'] = 0;
			echo "<meta http-equiv='refresh' content=0;banned.php>";

			exit();

		}

		$_SESSION['user_level'] = 0;
		$_SESSION['active'] = 1;
		$_SESSION['loggedIn'] = 1;
		echo "<meta http-equiv='refresh' content=0;index.php>";

		exit();

	} else {

		die("#~ Username or password is incorrect ~#");
	}

}
?>

My passwords are hashed but only in the registration script.

Link to comment
Share on other sites
Tom8001 Member

Tom8001

Posted
  • Author
Posted

So, you hash the password during registration then on login you compare the unhashed value the user submits to the hashed value in the DB? See the problem?

Yeah i'm guessing that's the reason why it's saying the password and username are wrong.

Link to comment
Share on other sites
Tom8001 Member

Tom8001

Posted
  • Author
Posted

i added 

$password = hash('sha256', $password);

to my login script but it's still not working

 

This is my registration script

 <?php

error_reporting(E_ALL | E_NOTICE);

require 'connect.php';
ini_set('display_errors', 1);

echo "<title>  Register  </title>";

if(isset($_POST['register'])) {

	if(!$_POST['username'] OR !$_POST['password']) {

		die("You must enter a username and password!");

	}

	$username = trim($_POST['username']);
	$password = trim($_POST['password']);
	$username = mysqli_real_escape_string($conn, $_POST['username']);
	$password = mysqli_real_escape_string($conn, $_POST['password']);
	$password = hash('sha256', $password);


	$stmt = $conn->prepare("INSERT INTO usrs_usr (username, password) VALUES (?, ?)");
	$stmt->bind_param("ss", $username, $password);
	$stmt->execute();

	echo "New user has been created successfully";

	$stmt->close();
	$conn->close();

}

?>
Link to comment
Share on other sites
CroNiX Member

CroNiX

Posted
Posted

So when the user enters their password in the form, you need to hash their supplied value using the same hashing method as you did to store it in the db when they registered, so that the query will check if (hashed_value === stored_hash_value). Otherwise you're comparing apples to oranges and the password will never match.

 

so this:

$password = $_POST['password'];

should be:

$password = your_hashing_function($_POST['password']);
Link to comment
Share on other sites
Tom8001 Member

Tom8001

Posted
  • Author
Posted

 

So when the user enters their password in the form, you need to hash their supplied value using the same hashing method as you did to store it in the db when they registered, so that the query will check if (hashed_value === stored_hash_value). Otherwise you're comparing apples to oranges and the password will never match.

 

so this:

$password = $_POST['password'];

should be:

$password = your_hashing_function($_POST['password']);

So like this? 

$password = hash('sha256', $_POST['password']);
Link to comment
Share on other sites
CroNiX Member

CroNiX

Posted
Posted

Yes, if you used hash('sha256', $password) when they registered, and you stored that hash in the db.

 

Also, these lines are unnecessary and could be causing issues as they can change the value of what you are running them against. They are also unnecessary/useless when using prepared statements:

$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);

remove those.

Link to comment
Share on other sites
Tom8001 Member

Tom8001

Posted
  • Author
Posted

Yes, if you used hash('sha256', $password) when they registered, and you stored that hash in the db.

 

Also, these lines are unnecessary and could be causing issues as they can change the value of what you are running them against. They are also unnecessary/useless when using prepared statements:

$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);

remove those.

Removed :)

Link to comment
Share on other sites
Tom8001 Member

Tom8001

Posted
  • Author
Posted 


<?php


require 'connect.php';

error_reporting(E_ALL | E_NOTICE);

ini_set('display_errors', '1');

ini_set('memory_limit', '-1');

include 'footer.php';


if(isset($_POST['submit'])) {


	session_start();


	if(!$_POST['username'] OR !$_POST['password']) {


		echo "Please make sure you enter both a username and password!";


		exit();


	}


	$username = trim($_POST['username']);

	$password = trim($_POST['password']);

	$password = hash('sha256', $password);



	$stmt = $conn->prepare("SELECT username,password,user_level,active FROM usrs_usr WHERE username=? AND password=?");


	$stmt->bind_param("ss", $username, $password);


	$stmt->execute();


	$row = $stmt->fetch();


	$userlevel = $row['user_level'];


	$active = $row['active'];


	if($stmt->num_rows == 1) {


		if($row['user_level'] == 1) {


			$_SESSION['user_level'] = 1;

			$_SESSION['active'] = 1;

			$_SESSION['loggedIn'] = 1;

			echo "<meta http-equiv='refresh' content=0;admin.php>";


			exit();


		} else if($row['user_level'] == -1) {


			$_SESSION['user_level'] = -1;

			$_SESSION['active'] = 0;

			$_SESSION['loggedIn'] = 0;

			echo "<meta http-equiv='refresh' content=0;banned.php>";


			exit();


		}


		$_SESSION['user_level'] = 0;

		$_SESSION['active'] = 1;

		$_SESSION['loggedIn'] = 1;

		echo "<meta http-equiv='refresh' content=0;index.php>";


		exit();


	} else {


		die("#~ Username or password is incorrect ~#");

	}


}

?>
Link to comment
Share on other sites
ginerjm Prolific Member

ginerjm

Posted
Posted

So - the question is:

 

Have you re-stored the username and password using the same hashing code since you found out that you had to do that?

 

 

BTW - after your query runs you should check if you got a result before you do those two fetches. Makes no sense to try and retrieve something before you know if it exists.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.