Carlos1973 Posted March 25, 2021 Share Posted March 25, 2021 Hi, I am trying to set up a useername / password validation log in for a website - code below. I'm fairly new to php, so my understanding of what I have done is: config and env pick up some basic info including the servername, username, password and dbname for the connection, $_POST["username"] and $_POST["pwd"] are the values entered by the user on a previous log in page. Users is queried to bring back the data in $sql where the posted username ($userid) matches the UserName in the table. This is then checked to ensure there is one row returned - if not we go to test3.php If there is one row, the password entered on the log in ['pwd'] is compared to the password in the table. If they match we go to test1.php If they don't we go to test2.php test1.php test2.php and test3.php are holding pages which just display "Success", "incorrect password" or "No User" to check that this codeworks and will be replaced later. When I go through the login page and put an invalid user name, I get sent to test3.php - this is correct. However, if a put in a valid user name and a password, I get sent to test2.php (incorrect password) regardless of the password used being correct or not. Which makes me think the validation is not working. This is the code from the input page for username & password: <div style="display: table-row"> <div style="display: table-cell" class="w3-padding"> <label>User ID:</label> <input class="w3-input w3-text-black" name="username" required> </div> <div style="display: table-cell" class="w3-padding"> <label>Password:</label> <input class="w3-input w3-text-black" type="password" name="pwd" required> </div> </div> Thanks in advance for any assistance. <?php //get config and environment files - includes session script and database ID require_once("config.php"); require_once("env.php"); // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $userid = $_POST["username"]; $sql = "SELECT UserID, UserName, Psswrd, FirstName, LastName, UserType FROM Users WHERE UserName = '$userid';"; $result = $conn->query($sql); $row = mysqli_fetch_assoc($result); if ($result->num_rows == 1) { $pwcheck = $row['Psswrd']; if(password_verify($_POST["pwd"],$pwcheck)) { header("Location: test1.php"); exit(); }else { header("Location: test2.php"); exit(); } }else { header("Location: test3.php"); exit(); } ?> Quote Quote Link to comment https://forums.phpfreaks.com/topic/312379-password-validation/ Share on other sites More sharing options...
requinix Posted March 25, 2021 Share Posted March 25, 2021 What's the code for saving the passwords into the table in the first place? It uses password_hash, right? Also, don't put variables into queries like you're doing with $userid. Learn about prepared statements and start using them immediately. 1 Quote Link to comment https://forums.phpfreaks.com/topic/312379-password-validation/#findComment-1585367 Share on other sites More sharing options...
Carlos1973 Posted March 25, 2021 Author Share Posted March 25, 2021 Hi, I plan to use password_hash, but at the moment I'm just storing a varchar. I changed it as part of the troubleshooting when I started getting this error, but the format has made no difference, should I change it back? Thanks for the tip on prepared statements, I'll look at it now. Quote Link to comment https://forums.phpfreaks.com/topic/312379-password-validation/#findComment-1585368 Share on other sites More sharing options...
requinix Posted March 25, 2021 Share Posted March 25, 2021 1 minute ago, Carlos1973 said: Hi, I plan to use password_hash, but at the moment I'm just storing a varchar. That statement doesn't really make sense. Are you using password_hash when storing the password? Because you need to be: not just because it's the correct thing to do, but because that is the counterpart to the password_verify you're currently using when checking the password. Gotta have both of them for this to work. Quote Link to comment https://forums.phpfreaks.com/topic/312379-password-validation/#findComment-1585369 Share on other sites More sharing options...
Carlos1973 Posted March 25, 2021 Author Share Posted March 25, 2021 Thanks again - I didn't realise that password_verify() was intrinsically linked to password_hash and thought that it would do the same regardless of hashing / salting. I'll switch it back and see how I get on,. Quote Link to comment https://forums.phpfreaks.com/topic/312379-password-validation/#findComment-1585370 Share on other sites More sharing options...
Barand Posted March 25, 2021 Share Posted March 25, 2021 17 minutes ago, Carlos1973 said: I didn't realise that password_verify() was intrinsically linked to password_hash There's a clue in the manual. TIP: try reading it occasionally, such as when you use a function and you have no idea what it does. Quote Link to comment https://forums.phpfreaks.com/topic/312379-password-validation/#findComment-1585371 Share on other sites More sharing options...
Carlos1973 Posted March 25, 2021 Author Share Posted March 25, 2021 Thanks (for the sarcasm) Barand - I got that bit, but what I didn't pick up was that verify works on hashed passwords only, not unhashed ones. Still, we aren't all lucky enough to pick it all up in one morning the way you did. Also - there's a manual? Thanks Requinix - that was my problem; (note to self: password_verify is verifying the hash - not the password behind it). Rookie mistake. Quote Link to comment https://forums.phpfreaks.com/topic/312379-password-validation/#findComment-1585379 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.