PHP PDO Log In Script doesn't work. Contains errors

Question

I´m not very familiar with security, therefore I rely on what I find on the internet. I found a site of someone who explains a bit what he does and how his method works. People may copy-paste it to ease things up. Though I do understand quite a lot, I couldn't come up with it myself (I'm pretty new to PHP/XHTML, etc.)

The website: How to store safely with PHP and MySQL

He uses PDO in his tutorial. And I am able to store the information in the database. But when I try to use the script in which he provides the code for actually logging in, though it seems it contains errors.

I've worked everything out and everything works fine, but the comparison of the hashed password with the inserted password (with the hash, etc.) does not work properly.

What is going on here?

Thanks in advance!

EDIT

People have been asking for the code so, here it is:

session_start();  
  require('config.php');

  // Setting up a connection
  $MyConnection = new PDO('mysql:host=*;dbname=*', $dbuser, $pass);

  // Retrieving information from form.
  $username = $_POST['username'];
  $password = $_POST['password'];

  $sth = $MyConnection->prepare("SELECT * FROM AMP_Users WHERE Username = :username LIMIT 1");
  $sth->bindParam(':username', $username);
  $sth->execute();

  $user = $sth->fetch(PDO::FETCH_OBJ);

  // Hashing the password with its hash as the salt returns the same hash
  if (crypt($password, $user->hash) == $user->hash) {
    echo 'You are now logged in. If we actually used sessions this time.';
  }

I will add a $_SESSION['name'] = $username, once the code starts to work. Until now I simply echo out if it worked out or not. And it doesn't show anything, so it doesn't work.

SECOND EDIT

Just as a quick update, the script provided by me, is the WHOLE script. Nothing is let out. (Except names of databases, etc.) Therefore I wonder if the problem may be that I don't use the hashing script of the saving the passwords into the database. Though I have put it in, it still doesn't respond. Am I still doing something wrong?

It's the code provided on the link to the website.. It's the exact same. Instead of SELECT hash I use SELECT * But alright, I'll provide the code. — Jesse Dijkstra, Sep 26 '13 at 17:56
@Fred-ii-, There is nothing in the config.php file, except the password and username for my database connection so far. I typed all my database columns with a starting capital, except for ID of course. Everything else starts with a capital letter. — Jesse Dijkstra, Sep 26 '13 at 18:09
I had no problems running it, although I did modify it to run as mysqli... — Snowburnt, Sep 26 '13 at 19:25

score 0 · Answer 1 · answered Sep 26 '13 at 18:02

0

Maybe you have to check the length of the field that you store the password on the database... If the length is small then the hashed password will not stored as whole.. you will store a part of it!

answered Sep 26 '13 at 18:02

Csalt

45
11

I use simple text. Not a varchar, which would limit the amount of characters I could store. The database settings are fine. The fault must be in the code. – Jesse Dijkstra Sep 26 '13 at 18:04

samayo · Accepted Answer · 2013-10-24T08:37:54.680

0

if($_POST):

     $name = $_POST['username'];
     $pass = crypt($_POST['password'], '$2a$07$Hd893nD39Jdjd48Jdh3nD$');

     $conn = new PDO('mysql:host=*; dbname=*', 'root', '');
     $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
     $conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);    

     $stmt  = $conn->prepare('SELECT * FROM user WHERE name = ? AND password = ?');
     $stmt->execute(array($name, $pass));

     if($stmt->rowCount() === 0){
         echo 'Your Username / Password is incorrect. Please try again';
     }else{
         echo 'login success';
     }

    endif;

edited Oct 24 '13 at 08:37

answered Sep 26 '13 at 18:11

samayo

16,163
12
91
106

1

An added explanation would be beneficial for all, especially the OP ;-) – Funk Forty Niner Sep 26 '13 at 18:12
@Fred-ii- You are right :) But, I thought the answer itself was self-exlanatory – samayo Sep 26 '13 at 18:15
$sth, stands for Statement Handle just like $dbh would stand for Database Handle. Further more, I just paste-copy the script from the website, provided in my main information. I do understand most, if not all of it. Still there are some errors in it. And I quite cannot find them. – Jesse Dijkstra Sep 26 '13 at 18:17
@JesseDijkstra Well, don't be shy. Tell me what the error say – samayo Sep 26 '13 at 18:19
@Simon_eQ, There are no errors. I'm telling what the problem is. It's not comparing the passwords right to each other, therefore not allowing me to let the user log in. – Jesse Dijkstra Sep 26 '13 at 18:24
@JesseDijkstra the your problem is here http://stackoverflow.com/questions/11974091/why-is-crypt-generating-different-results – samayo Sep 26 '13 at 18:30
@Simon_eQ, Oh God.. I'm sorry, but I can't make anything up from this. I might be missing it, but I'm not sure if this is very relevant to my question. Well, it probably is. Though I can't really connect the dots. I'm new to PHP and used simple mysql(i)_* functions. And until recently (a 2 days ago) I started to use PDO, since it's more safe. – Jesse Dijkstra Sep 26 '13 at 18:38
@JesseDijkstra Well, in that way. Just take is simple ... simply connect without crypt, that is only useful if someone steals your database, other than that PDO is completely safe from mysql injection or other vulnerability attacks. I praise you for trying to learn how to crypt, but take it slowly, and understand PDO first – samayo Sep 26 '13 at 18:43
check `$password = 'abcd';` `echo crypt($password);` does it give you a new result everytime your refersh – samayo Sep 26 '13 at 18:46
Outcome 1: $1$MmD58dWx$p3BigrSJTEqrhcU3hCcu1. Outcome 2: $1$GpHR3f4.$mmiRqRjp.4Ux88/h9MA7d0 Outcome 3: $1$rfkDtkIl$LeAcZJbk19RwoZvJjyPk5/ So yeah, it does. – Jesse Dijkstra Sep 26 '13 at 18:52
@Simon_eQ, Thanks. So how could I still connect the user to my website? So that they can log in? – Jesse Dijkstra Sep 26 '13 at 18:56
So, there is something fundamentally wrong with the way you are encrypting it, and the fact it does not let you log in is because, you are salt is changing on each page refresh, and you are not getting the accurate result. Anyway, I have included a simple example for you to start with. – samayo Sep 26 '13 at 19:00
Well, don't be shy. Let it out, c'mon. lets hear it. – samayo Sep 26 '13 at 19:10
prepare('SELECT * FROM AMP_Users WHERE Username = :username AND Password = :password LIMIT 1'); $stmt->bindParam(':username', $username); $stmt->bindParam(':password', $password); if($stmt->rowCount() === 0){ echo 'Your Username / Password is incorrect. Please try again'; }else{ echo 'login success'; } ?> – Jesse Dijkstra Sep 26 '13 at 19:16
@JesseDijkstra You are starting to irritate me, this is not the script I gave you, plus where is the error? I don't see it – samayo Sep 26 '13 at 19:24
@Simon_eQ, I'm trying to use the bindParam(); To make it more safer against MySQL injections. Instead of using an array to fill in the 'blank' spots. I'm sorry if I'm starting to irritate you. I don't get any errors. Except for the echo out of 'Your Username / Password is incorrect. Please try again'. – Jesse Dijkstra Sep 26 '13 at 19:28

score 0 · Answer 3 · answered Sep 26 '13 at 19:26

0

I modified it to run in mysqli and it works fine:

            $getAuth=$dbConAU->prepare("SELECT Password FROM Users WHERE UserName=? LIMIT 1");

            $getAuth->bind_param("s",$UserName);
            $getAuth->execute();
            $getAuth->bind_result($hash);
            $getAuth->fetch();
            $getAuth->close();

            if (crypt($Password, $hash) == $hash) {
                return "OK";
                }
                else { return "Not OK"; }

answered Sep 26 '13 at 19:26

Snowburnt

6,523
7
30
43

Hmm.. This works a little better. bind_param does not exist, so I just use bindParam(':username', $username). – Jesse Dijkstra Sep 26 '13 at 19:40
bind_param is a mysqli method, not pdo – Snowburnt Sep 26 '13 at 19:42
I see. That's why I used bindParam(); Though I still can't get bind_result() to work. Since my script somehow sees it as an PDO statement.. – Jesse Dijkstra Sep 26 '13 at 19:45
you have to change your connection to mysqli(server, username, password, database) to user mysqli methods – Snowburnt Sep 26 '13 at 19:50
Hmm... I would risk MySQL injections though. And I have happened to me once, that a virus came into my files on a subdomain a friend gave me on his website. – Jesse Dijkstra Sep 26 '13 at 19:52
no, you wouldn't, that's what the bind_param method takes care of. – Snowburnt Sep 26 '13 at 19:52
Still getting an error here: Call to a member function bind_param() on a non-object. On this line: $getAuth->bind_param(':username', $username); – Jesse Dijkstra Sep 26 '13 at 20:01
your line: $MyConnection = new PDO('mysql:host=*;dbname=*', $dbuser, $pass); needs to look like this: $MyConnection = new mysqli([MYSQL DATABASE SERVER], $dbuser, $pass, [MY SQL database]); – Snowburnt Sep 26 '13 at 22:19

score 0 · Answer 4 · answered Jan 01 '14 at 13:47

I know this thread is a few months old but someone might find this SunnyTuts php pdo login and registration tutorial

tutorial helpful. I found both this thread and the tutorial while looking for a secure way to allow users to login. Being new to php and web design I found it a small bit hard to follow but I'm sure it will seem like a piece of cake to some of you....

PHP PDO Log In Script doesn't work. Contains errors

4 Answers4