mysql - PHP log in system password isn't matching

498

I have made a login system which enables a user to sign in using a previously defined email and password, however in the testing section, I have noticed the passwords say they don't match although I know they are correct as I wrote the test one down as I made it. I cant seem to see why this is happening, I think it may be something to do with my hashing of the passwords but I don't know what.The login page check is from document, login.php:

    if(empty($errors))
{
    $sql = "SELECT accountID, password FROM users WHERE emails=?";
    $stmt = $pdo->prepare($sql);
    $stmt->execute([$data['email']]);

    if(!$row = $stmt->fetch())
    {
        // email didn't match
        $errors['login'] = "Login failed. on email";
    }
    else
    {
        // email matched, test password
        if(!password_verify($data['password'],$row['password']))
        {
            // password didn't match
            $errors['login'] = "Login failed. on password";
        }
        else
        {
            // password matched
            $_SESSION['user_id'] = $row['accountID'];
            header('location: welcome.php');
            die;
        }
    }
}

The insertion to the database with hashing is, from insert.php:

    if (isset($_POST['name'])){
        $name = $_POST['name'];
    }
    if (isset($_POST['email'])){
        $email = $_POST['email'];
    }
    if (isset($_POST['password'])){
        $pword = $_POST['password'];
    }
    if (isset($_POST['busName'])){
        $busName = $_POST['busName'];
    }

    if (empty($name)){
        echo("Name is a required field");
        exit();
    }
    if (empty($email)){
        echo ("email is a required field");
        exit();
    }
    if (empty($pword)){
        echo("You must enter a password");
        exit();
    }
    $pword = password_hash($pword, PASSWORD_DEFAULT)."/n";



//insert html form into database
$insertquery= "INSERT INTO  `cscw`.`users` (
`accountID` ,
`businessName` ,
`name` ,
`emails` ,
`password`
)
VALUES (
NULL ,  '$busName',  '$name',  '$email',  '$pword'
);";

and on the web page i am shown from login.php, "Login failed. on password". If you need to see any more code please let me know.

493

Answer

Solution:

It does not recognize $row['password']. Be always organized with your query **
1)Prepare
2)Execute
3)Fetch
4)Close
5)THEN YOU EXPLOIT the fetched data. The fetched data need to be sorted as shown with the returnArray function.

Hoping that there are UNIQUE emails and the$data array exists.Try this.

if(empty($errors))
{

    $sql = "SELECT accountID, password FROM users WHERE emails=:emails";
    $stmt = $pdo->prepare($sql);
    $stmt->bindParam(':emails', $data['email']);
    $stmt->execute();
    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
    $stmt->CloseCursor();
    $stmt=null;

    /* Return the results is a more handy way */
    function returnArray( $rows, $string )
    {
       foreach( $rows as $row )
       {
           return $row[ $string ];
       }
    }

   if( empty($rows) )
   {    // email didn't match
       $errors['login'] = "Login failed. on email";
   }
   else
   {      // email matched, test password
       if( !password_verify( $data['password'], returnArray($rows,'password') ) )
       {
          // password didn't match
          $errors['login'] = "Login failed. on password";
       }
       else
       {
          // password matched
          $_SESSION['user_id'] = $row['accountID'];
          header('location: welcome.php');
          die;
       }
   }
}

The login Page is not finished the query is not inserting. Be carefull you might be vunerable to SQL injections because your do not escape user manipulated variables.(To strengthen security add a form validation, it will be great).

You have used$pword = password_hash($pword, PASSWORD_DEFAULT)."/n"; I removed ."/n" part. I seems that you are using a concatenation operator '.' to add /n add the end of the password_hash.

Your $insertquery is not finished and not readable. You don't need to insert backticks in your query. And no need to SELECT accountID it will autoincrement (See if A_I for accountID is ticked in your database). Do something like this in your login page.

/* trim and escape*/
function escapeHtmlTrimed( $data )
{
    $trimed = trim( $data );
    $htmlentities = htmlentities( $trimed, ENT_QUOTES | ENT_HTML5, $encoding = 'UTF-8' );
    return $htmlentities;
}


if ( isset( $_POST['name'] ) ){
    $name = escapeHtmlTrimed( $_POST['name'] );
}
if ( isset($_POST['email']) ){
    $email = escapeHtmlTrimed( $_POST['email'] );
}
if ( isset($_POST['password']) ){
    $pword = escapeHtmlTrimed( $_POST['password'] );
}
if ( isset($_POST['busName']) ){
    $busName = escapeHtmlTrimed( $_POST['busName'] );
}

if ( empty($name) ){
    echo("Name is a required field");
    exit();
}
if ( empty($email) ){
    echo ("email is a required field");
    exit();
}
if ( empty($pword) ){
    echo("You must enter a password");
    exit();
}
/*Remove this your adding "./n"*/
$pword = password_hash($pword, PASSWORD_DEFAULT);



//insert html form into database
$insertquery= "INSERT INTO users (businessName ,name ,emails, 
password) VALUES (:busName , :name, :email , :pword)";
$stmt = $pdo->prepare($insertquery);
$stmt->bindParam(':busName', $busName);
$stmt->bindParam(':name', $name);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':pword', $pword);
$stmt->execute();
$stmt->CloseCursor();
$stmt=null;

People are also looking for solutions to the problem: php - Get the thumbnail contents in a variable instead of saving on a file

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.