PHP/MySql Login Form - Verify Password Not Functioning

Question

I am working on a login form script I obtained from a tutorial from https://codeshack.io/secure-login-system-php-mysql/. I have followed all steps, but every single time I click login, I get the innermost else statement error of "Incorrect username and/or password!". I have verified that I am connected to the DB correctly. I only have one row in my table as I'm only in testing stages at the moment, and I have verified that I'm typing the password correctly. Here is the code:

$con = mysqli_connect($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if ( mysqli_connect_errno() ) {
 // If there is an error with the connection, stop the script and display the error.
 die ('Failed to connect to MySQL: ' . mysqli_connect_error());
}
// Now we check if the data was submitted, isset will check if the data exists.
if ( !isset($_POST['username'], $_POST['password']) ) {
 // Could not get the data that should have been sent.
 die ('Username and/or password does not exist!');
}
// Prepare our SQL 
if ($stmt = $con->prepare('SELECT id, password FROM users WHERE username = ?')) {
 // Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
 $stmt->bind_param('s', $_POST['username']);
 $stmt->execute(); 
 $stmt->store_result(); 
 // Store the result so we can check if the account exists in the database.
 if ($stmt->num_rows > 0) {
  $stmt->bind_result($id, $password);
  $stmt->fetch();      
  // Account exists, now we verify the password.
  if (password_verify($_POST['password'], $password)) {
   // Verification success! User has loggedin!
   $_SESSION['loggedin'] = TRUE;
   $_SESSION['name'] = $_POST['username'];
   $_SESSION['id'] = $id;
   echo 'Welcome ' . $_SESSION['name'] . '!';
  } else {
   echo 'Incorrect username and/or password!';
  }
 } else {
  echo 'Incorrect username and/or password!';
 }
 $stmt->close();
} else {
 echo 'Could not prepare statement!';
}

if (password_verify) is where I'm hitting the else statement when I want to be entering the if statement for a successful login. I am a little leery of "selecting id,password from the db where username = ?" because shouldn't "username = ?" be equal to what the user has entered into the input field that is named username instead of "?"? (new to PHP and MySQL - maybe I'm completely wrong in this thinking!)

Does anybody have any idea what's happening? I really appreciate the help!

P.S. I am absolutely sure the password verify else is the error message I'm receiving as on my end, I changed the echo statement from the one below it to avoid confusion.

I have 2 questions. 1) Did you in fact save the hash as `password_hash()` to begin with? 2) What is the password column's type and length? — Funk Forty Niner, Dec 28 '18 at 17:35
Also, if there happens to be any possible errors, enable error reporting http://php.net/manual/en/function.error-reporting.php and use `mysqli_error($con)` on the query. *Anything?* — Funk Forty Niner, Dec 28 '18 at 17:39
And lastly; how this is used. Using an HTTP protocol or as `file:///` directly into your web browser? You can ping me with `@Funk` if I'm no longer around. Just wondering where *you* are though. Some tend to logout after posting and we don't know when you will be back if you did logout. — Funk Forty Niner, Dec 28 '18 at 17:43
and to add to @FunkFortyNiner 's comment debug with `var_dump(..)` in combination with `exit();` to see if you get the correct values before flow control statements like if... for example `var_dump($_POST['password']); var_dump($password); exit(); if (password_verify($_POST['password'], $password)) {` — Raymond Nijland, Dec 28 '18 at 17:44
@FunkFortyNiner, I'm still here! I did notice the comments in the code said it used the password_hash function and I didn't see it implemented anywhere. Password column is varchar(255) (as directed by the tutorial). I will enable error reporting and get back soon. I'm currently operating on my AWS EC2 Windows Instance on which I installed PHP and MySQL, along with IIS. Therefor, I have my files saved inside the wwwroot folder so I can view them on my domain in Chrome. — Ashleigh, Dec 28 '18 at 17:50

score 0 · Answer 1 · answered Dec 28 '18 at 17:55

0

As @FunkFortyNiner suggested, I implemented a password_hash function:

$password = password_hash('password', PASSWORD_DEFAULT);

My issue is now resolved. Thank you very much!

answered Dec 28 '18 at 17:55

Ashleigh

36
1
8

For clarification, where about did you put the `password_hash` call? Or did you generate a password using that and stored it in the database? – Richie Hughes Dec 28 '18 at 18:00
I put it right before the if statement that checks if the number of table rows is greater than 0. – Ashleigh Dec 28 '18 at 18:02
I'm not sure you want to call the `password_hash` function in the login code - You should be able to pass the user entered password and the hash from the database and it should work. I wonder if the result isn't being bound to the `$password` variable properly and because you've generated a hash from the user supplied password it works. If you login with a wrong password & the correct username does it still login? If so, then the issue is with the `bind_result` function (or something similar) – Richie Hughes Dec 28 '18 at 18:17

PHP/MySql Login Form - Verify Password Not Functioning

1 Answers1