-1

I've got a light application i'm putting together as I get myself started, and I'm a touch confused.

I've set my database column for passwords to be 255, and used the password_hash function to get a hash, which I inserted.

But now the following ALWAYS returns false;

if (isset($_POST[submit])) {
    $link = mysqli_init();
    
    $mysqli = new mysqli(DB_SERVER, DB_USER, DB_PASS, DB_DATABASE);
    if ($conn->connect_error) {
        echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
    }

    $username = $_POST['username'];
    $password = $_POST['password'];

    $query = $mysqli->prepare("SELECT * FROM `admins` WHERE `username` = (?)");
    $query->bind_param('s', $username);
    echo $mysqli->error;
    $query->execute();
    $result = $query->fetch(PDO::FETCH_ASSOC);

    print_r($result);

    if (!$result) {
        echo '<p class="error">Username password combination is wrong!</p>';
    } else {
        if (password_verify($password, $result['password'])) {
            $_SESSION['user_id'] = $result['id'];
            header('Location: results.php');
        } else {
            echo '<p class="error">Username password combination is wrong!</p>';
        }
    }
}

Its just a small login form, a username, a password field and a submit button, but no matter what I try, every solution here seems to mention a column length being 60, and should be 255, which mine is. Any help would be appreciated.

Edit; updated the snippet to show more... result isn't printing which means its not getting anything from what I can tell?

Lelio Faieta
  • 6,457
  • 7
  • 40
  • 74
TheVenix
  • 1
  • 1
  • 1
    Check the most basic steps first: is `$password` the unaltered password from the input and is it correct? – El_Vanja Apr 16 '21 at 12:19
  • There's not enough information here to allow us to determine what the issue is. What debugging have you done so far? – ADyson Apr 16 '21 at 12:19
  • 3
    Have you checked what `$result['password']` is? Can you show us your `password_hash` implementation? – ceejayoz Apr 16 '21 at 12:20
  • First parameter is the original password, second parameter is the hash (from password_hash()). Please read the documentation instead of guessing things... – Honk der Hase Apr 16 '21 at 12:23
  • Does this answer your question? [password\_verify doesn't verify hash](https://stackoverflow.com/questions/26721833/password-verify-doesnt-verify-hash) – Kim Hallberg Apr 16 '21 at 12:23
  • @LarsStegelitz It seems to me that's the exact order in OP's code (`$result` seems to be the DB row, judging by further use). – El_Vanja Apr 16 '21 at 12:26
  • Updated to show more stuff folk, apologies, it seems result isn't pulling anything? – TheVenix Apr 16 '21 at 12:30
  • 1
    You're binding the password to the where clause, but you're looking for the username, switch `$password` binding to `$username` instead. – Kim Hallberg Apr 16 '21 at 12:31
  • _"...result isn't printing..."_ - are you saying you're not seeing the `print_r` at all? – El_Vanja Apr 16 '21 at 12:33
  • You also create the variable `$link`, while using `$conn` afterwards. You should always check your error logs or [display PHP errors](https://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display) while developing. – El_Vanja Apr 16 '21 at 12:35
  • FYI as an aside, `if ($conn->connect_error) { echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);` is a mess. 1) "could not able to" isn't grammatically correct English. You could say "Unable to" instead. 2) `execute` makes no sense here because the error is triggered by connecting to the DB, not executing a query. Change `execute` to `connect`. 3) `mysqli_error` doesn't report connection errors. 4) `$conn` doesn't seem to exist - `$mysqli` is your connection object. Change to `if ($mysqli->connect_error)` and then also echo `$mysqli->connect_error` instead of mysqli_error – ADyson Apr 16 '21 at 12:36
  • aside cont'd.... 5) `$sql` is defined in that context either. Fully changed code: `if ($mysqli->connect_error) { echo "ERROR: Unable to connect - " .$mysqli->connect_error;`. 6) You really need to stop the script there with `exit();` if the connection fails, because you can't do anything else useful after that. Otherwise you'll just end up with more errors where the code tries to run queries without a valid connection. – ADyson Apr 16 '21 at 12:38
  • 2
    But better still, avoid all the clumsy if statements for error checking by just telling mysqli to throw exceptions properly. (Obviously this requires you to also have error logging enabled in PHP.) See these guides if you need help setting those things up: https://stackify.com/php-error-logs-guide/ (php error logging/reporting) https://stackoverflow.com/a/22662582/5947043 (mysqli exception reporting) – ADyson Apr 16 '21 at 12:40
  • 1
    Thanks for the asides, this is all new to me so I'm piecing it all together, english isn't native either so thank you for clarification. – TheVenix Apr 16 '21 at 12:41

1 Answers1

0

Okay I figured the problem out.

I'd not included a bind_result to lock the results down in a way I could access, the below code worked correctly.

if (isset($_POST[submit])) {
    $mysqli = new mysqli(DB_SERVER, DB_USER, DB_PASS, DB_DATABASE);

    $username = $_POST['username'];
    $password = $_POST['password'];

    $query = $mysqli->prepare("SELECT * FROM `admins` WHERE `username` = ?");
    $query->bind_param('s', $username);
    $query->execute();
    $query->bind_result($id, $user, $pass);
    $result = $query->fetch();

    print_r($pass);

    if (!$result) {
        echo '<p class="error">Username password combination is wrong!</p>';
    } else {
        if (password_verify($password, $pass)) {
            $_SESSION['user_id'] = $id;
            header('Location: results.php');
        } else {
            echo '<p class="error">Username password combination is wrong!</p>';
        }
    }
}
Dharman
  • 30,962
  • 25
  • 85
  • 135
TheVenix
  • 1
  • 1
  • 1
    ....out of curiosity:executing that code is not triggering a warning that the constant `submit` hasn't been defined? – Nico Haase Apr 16 '21 at 12:38
  • It is yeah, thats my next thing to work through. Do I just... declare it somewhere? Its the submit button on the HTML form that calls it, which works for now, just unsure what the fix is.. this is all pretty new to me – TheVenix Apr 16 '21 at 12:41
  • It merely needs to be quoted. An associative index is a string. – El_Vanja Apr 16 '21 at 12:48
  • Did you declare that constant anywhere or didn't you? Adding a button to a HTML form is not the same as declaring a constant, so probably you want to use `$_POST['submit']` – Nico Haase Apr 16 '21 at 12:48