Login with password_verify() fail all time

[Mlaaa]

Hi, i have problem with login script. Problem is that i cant login using my username and password. Password i entered in database was with password_hash('admin', PASSWORD_DEFAULT);

 

Here is a code

<?php
include 'config.php';

if (isset($_SESSION['laa']))
{
	die('U already logged in. <a href="index.php">Home</a>');
}

if (isset($_POST['login']))
{
	if (isset($_POST['username']) && isset($_POST['password']))
	{
		$username = strip_tags($_POST['username']);
		$password = strip_tags($_POST['password']);

		if (empty($username) || empty($password))
		{
			$error = 'Please enter username and password.';
		}
		else
		{

			//$password = password_verify($password, PASSWORD_DEFAULT);

			$stmt = $dbh->prepare("SELECT * FROM administrator WHERE korisnicko_ime = :username AND lozinka = :password");
			$stmt->bindParam(':username', $username);
			$stmt->bindParam(':password', $password);
			$stmt->execute();
			$p = $stmt->fetch();

			//password_verify($password, $data['password']))

			if ($p['username'] == $username || $p['password'] == $password)
			{
				$_SESSION['laa'] = $username;
				header('Location: index.php');
				exit();
			}
			else
			{
				$error = 'Invalid username or password.';
			}
		}
	}
	else
	{
		$error = 'Please enter username and password.';
	}
}

?>
<center>
<div style="display:block; margin-top: 10%;">
	<p><?php if(!empty($error)) { echo $error; } ?></p>
	<form action="login.php" method="post">
	<p>Username : <input type="text" name="username"></p>
	<p>Password : <input type="password" name="password"></p>
	<p><input type="submit" name="login" value="Login"></p>
	</form>
</div>
</center>

[Jacques1]

First off, you need to get rid of this strip_tags() nonsense. This can in fact destroy your passwords, because it blindly removes anything that looks like HTML markup.

 

The password_verify() function works like this:

if (password_verify($the_password_to_be_checked, $the_stored_password_hash))
{
    // correct password
}
else
{
    // wrong password
}

[Mlaaa]

So i need first query to get the password from the database that i can check it with entered password ? Then another query to check if username and password match ?

[Barand]

No. One query to get the stored password hash for the given username. Then verify the given password against that.

Edited March 6, 2017 by Barand

[Mlaaa]

Thanks i used it like this and how works, also problem was in $p['password'] instead or $p['lozinka'] and same for username/korisnicko ime.

                        $stmt = $dbh->prepare("SELECT * FROM administrator WHERE korisnicko_ime = :username");
			$stmt->bindParam(':username', $username);
			$stmt->execute();
			$p = $stmt->fetch();

			if (password_verify($password, $p['lozinka']) || $p['korisnicko_ime'] == $username)
			{
				$_SESSION['laa'] = $username;
				header('Location: index.php');
				exit();
			}

[Jacques1]

Now you're doing an OR check, which means anybody can log-in without a password if they enter a valid username. You need an AND check (&&).

 

// Or rather: Leave out the username check altogether. It's already in the query.

Edited March 6, 2017 by Jacques1

[Mlaaa]

I try this, and it works, if u enter valid username it wont login if u enter valid password and invalid username it wont login. But if i leave WHERE korisnicko_ime = :username AND lozinka = :password this don't works.

			$stmt = $dbh->prepare("SELECT * FROM administrator WHERE korisnicko_ime = :username");
			$stmt->bindParam(':username', $username);
			$stmt->execute();
			$p = $stmt->fetch();

			if (password_verify($password, $p['lozinka']) && $p['korisnicko_ime'] == $username)
			{
				$_SESSION['laa'] = $username;
				header('Location: index.php');
				exit();
			}

[cyberRobot]

Since the password validation happens on the PHP side, you don't need to include it in the query. The username also doesn't need to be validated on the PHP side since that is already done in the query. Unless I'm not thinking clearly...or maybe I missed something, this should be fine:

$stmt = $dbh->prepare("SELECT * FROM administrator WHERE korisnicko_ime = :username");
$stmt->bindParam(':username', $username);
$stmt->execute();
$p = $stmt->fetch();
 
if (password_verify($password, $p['lozinka']))
{
    $_SESSION['laa'] = $username;
    header('Location: index.php');
    exit;
}

Edited March 6, 2017 by cyberRobot

[Mlaaa]

U thinking clearly , if i select username from database it will give me all information about this user as i need, and what i need is to check if that password is valid for that username from query. So your code need to be valid.

 

I try to login with all combination and it only login me with right username and password. So this works. Thanks guys.

Edited March 6, 2017 by Mlaaa

[cyberRobot]

Side note: since there should only be one entry with any given username, you could optimize the query using the LIMIT clause.

$stmt = $dbh->prepare("SELECT * FROM administrator WHERE korisnicko_ime = :username LIMIT 1");

That way MySQL stops looking for more records as soon as it finds the first match.

[benanamen]

Side note: since there should only be one entry with any given username, you could optimize the query using the LIMIT clause.

$stmt = $dbh->prepare("SELECT * FROM administrator WHERE korisnicko_ime = :username LIMIT 1");

That way MySQL stops looking for more records as soon as it finds the first match.

 

 

I would think that with a unique index, Mysql already knows there is only going to be one result.