Password Validation.

[Carlos1973]

Hi,  I am trying to set up a useername / password validation log in for a website - code below. 

I'm fairly new to php, so my understanding of what I have done is:

• config and env pick up some basic info including the servername, username, password and dbname for the connection,
• $_POST["username"] and $_POST["pwd"] are the values entered by the user on a previous log in page.
• Users is queried to bring back the data in $sql where the posted username ($userid) matches the UserName in the table.
• This is then checked to ensure there is one row returned - if not we go to test3.php
• If there is one row, the password entered on the log in ['pwd'] is compared to the password in the table.
• If they match we go to test1.php
• If they don't we go to test2.php
• test1.php  test2.php and test3.php are holding pages which just display "Success", "incorrect password" or "No User" to check that this codeworks and will be replaced later.

When I go through the login page and put an invalid user name, I get sent to test3.php - this is correct.

However, if a put in a valid user name and a password, I get sent to test2.php (incorrect password) regardless of the password used being correct or not.  Which makes me think the validation is not working.   

 

This is the code from the input page for username & password:

            <div style="display: table-row">
                <div style="display: table-cell" class="w3-padding">
                    <label>User ID:</label>
                    <input class="w3-input w3-text-black" name="username" required>
                </div>
                <div style="display: table-cell" class="w3-padding">
                    <label>Password:</label>
                    <input class="w3-input w3-text-black" type="password" name="pwd" required>
                </div>
            </div>

 

Thanks in advance for any assistance.
 

<?php
    //get config and environment files - includes session script and database ID
    require_once("config.php");
    require_once("env.php");
    
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) 

    {   die("Connection failed: " . $conn->connect_error);  }
    
$userid = $_POST["username"];
$sql = "SELECT UserID, UserName, Psswrd, FirstName, LastName, UserType FROM Users WHERE UserName = '$userid';";

$result = $conn->query($sql);
$row = mysqli_fetch_assoc($result);
if ($result->num_rows == 1) 
   {   $pwcheck = $row['Psswrd'];
        if(password_verify($_POST["pwd"],$pwcheck))
        {   header("Location: test1.php");
                exit();     
        }else
        {   header("Location: test2.php");
                exit();     
        }                       
    }else
    {   header("Location: test3.php");
            exit();    }
?>

Quote

 

 

[requinix]

What's the code for saving the passwords into the table in the first place? It uses password_hash, right?

Also, don't put variables into queries like you're doing with $userid. Learn about prepared statements and start using them immediately.

[Carlos1973]

Hi,  I plan to use password_hash, but at the moment I'm just storing a varchar.  I changed it as part of the troubleshooting when I started getting this error, but the format has made no difference, should I change it back?

  Thanks for the tip on prepared statements, I'll look at it now.

[requinix]

1 minute ago, Carlos1973 said:

Hi,  I plan to use password_hash, but at the moment I'm just storing a varchar.

That statement doesn't really make sense.

Are you using password_hash when storing the password? Because you need to be: not just because it's the correct thing to do, but because that is the counterpart to the password_verify you're currently using when checking the password. Gotta have both of them for this to work.

[Carlos1973]

Thanks again - I didn't realise that password_verify() was intrinsically linked to password_hash and thought that it would do the same regardless of hashing / salting.  I'll switch it back and see how I get on,.

[Barand]

17 minutes ago, Carlos1973 said:

I didn't realise that password_verify() was intrinsically linked to password_hash

There's a clue in the manual. 

TIP: try reading it occasionally, such as when you use a function and you have no idea what it does.

[Carlos1973]

Thanks (for the sarcasm) Barand - I got that bit, but what I didn't pick up was that verify works on hashed passwords only, not unhashed ones.

Still, we aren't all lucky enough to pick it all up in one morning the way you did.   Also - there's a manual? 

Thanks Requinix - that was my problem; (note to self: password_verify is verifying the hash - not the password behind it).  Rookie mistake.