Jump to content

Recommended Posts

Hi,  I am trying to set up a useername / password validation log in for a website - code below. 

I'm fairly new to php, so my understanding of what I have done is:

  • config and env pick up some basic info including the servername, username, password and dbname for the connection,
  • $_POST["username"] and $_POST["pwd"] are the values entered by the user on a previous log in page.
  • Users is queried to bring back the data in $sql where the posted username ($userid) matches the UserName in the table.
  • This is then checked to ensure there is one row returned - if not we go to test3.php
  • If there is one row, the password entered on the log in ['pwd'] is compared to the password in the table.
  • If they match we go to test1.php
  • If they don't we go to test2.php
  • test1.php  test2.php and test3.php are holding pages which just display "Success", "incorrect password" or "No User" to check that this codeworks and will be replaced later.

When I go through the login page and put an invalid user name, I get sent to test3.php - this is correct.

However, if a put in a valid user name and a password, I get sent to test2.php (incorrect password) regardless of the password used being correct or not.  Which makes me think the validation is not working.   

 

This is the code from the input page for username & password:

            <div style="display: table-row">
                <div style="display: table-cell" class="w3-padding">
                    <label>User ID:</label>
                    <input class="w3-input w3-text-black" name="username" required>
                </div>
                <div style="display: table-cell" class="w3-padding">
                    <label>Password:</label>
                    <input class="w3-input w3-text-black" type="password" name="pwd" required>
                </div>
            </div>

 

Thanks in advance for any assistance.
 

<?php
    //get config and environment files - includes session script and database ID
    require_once("config.php");
    require_once("env.php");
    
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) 

    {   die("Connection failed: " . $conn->connect_error);  }
    
$userid = $_POST["username"];
$sql = "SELECT UserID, UserName, Psswrd, FirstName, LastName, UserType FROM Users WHERE UserName = '$userid';";

$result = $conn->query($sql);
$row = mysqli_fetch_assoc($result);
if ($result->num_rows == 1) 
   {   $pwcheck = $row['Psswrd'];
        if(password_verify($_POST["pwd"],$pwcheck))
        {   header("Location: test1.php");
                exit();     
        }else
        {   header("Location: test2.php");
                exit();     
        }                       
    }else
    {   header("Location: test3.php");
            exit();    }
?>
Quote

 

 

Link to post
Share on other sites

What's the code for saving the passwords into the table in the first place? It uses password_hash, right?

Also, don't put variables into queries like you're doing with $userid. Learn about prepared statements and start using them immediately.

  • Like 1
Link to post
Share on other sites

Hi,  I plan to use password_hash, but at the moment I'm just storing a varchar.  I changed it as part of the troubleshooting when I started getting this error, but the format has made no difference, should I change it back?

  Thanks for the tip on prepared statements, I'll look at it now.

Link to post
Share on other sites
1 minute ago, Carlos1973 said:

Hi,  I plan to use password_hash, but at the moment I'm just storing a varchar.

That statement doesn't really make sense.

Are you using password_hash when storing the password? Because you need to be: not just because it's the correct thing to do, but because that is the counterpart to the password_verify you're currently using when checking the password. Gotta have both of them for this to work.

Link to post
Share on other sites

Thanks again - I didn't realise that password_verify() was intrinsically linked to password_hash and thought that it would do the same regardless of hashing / salting.  I'll switch it back and see how I get on,.

Link to post
Share on other sites
17 minutes ago, Carlos1973 said:

I didn't realise that password_verify() was intrinsically linked to password_hash

There's a clue in the manual

image.thumb.png.10cc394effcc484542a8992de8f5f0b8.png

TIP: try reading it occasionally, such as when you use a function and you have no idea what it does.

Link to post
Share on other sites

Thanks (for the sarcasm) Barand - I got that bit, but what I didn't pick up was that verify works on hashed passwords only, not unhashed ones.

Still, we aren't all lucky enough to pick it all up in one morning the way you did.   Also - there's a manual? 

Thanks Requinix - that was my problem; (note to self: password_verify is verifying the hash - not the password behind it).  Rookie mistake.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.