How to check username and password match

Question

I'm trying to check if a users entered username and password matches an entry from the database using PDO, but for some reason cannot seem to get it working.

The database table is called user_info and the rows from which i'm trying to grab the username and password from are username and pass respectively. I'm not entirely sure how to check if the users input information matches a database entry, then make a decision on where to send them based on if it returns true or false.

Also, i've obviously got the prerequisites such as including a file that connects to the database, which i know whose information is correct.

I've had a stab in the dark on the if ($username) etc, but clearly it's incorrect.

HTML

            <form method="post">
                <label for="username2">Username</label>
                <input type="text" name="username">
                <label for="password">Password</label>
                <input type="text" name="password">
                <input type="submit" value="Login" name="login">
            </form>

PHP

                $username = $_POST['username'];
                $password = $_POST['password'];

                try {   

                    $result = $db->prepare("SELECT * FROM user_info WHERE username = :user AND pass = :pass");
                    $result->bindParam(':user', $username);
                    $result->bindParam(':pass', $password);
                    $result->execute();
                    $rows = $result->fetch(PDO::FETCH_NUM);
                }

                catch (Exception $e) {
                    echo "Could not retrieve data from database";
                    exit();
                }

                if ($username == "test" && $password == "test") {
                    $_SESSION['username'] = $username;
                    redirect('/add-property.php');
                } else {
                    if (isset($_POST['login'])) {
                        echo "Username or password incorrect";
                    }
                }

@The Peanut Gallery: I'm not being elitist, but i think i would be doing more harm than good by answering this question. An explanation of everything wrong with this code doesn't really fit into the rules and guidelines either. — r3wt, Jun 24 '14 at 03:13
@r3wt Are you referring to the checking of the username, as per my code, or the entirety of my code in general? I'm obviously not using plain text for passwords, it was simply a placeholder for testing purposes. — Nikki Mather, Jun 24 '14 at 03:16
1. don't select * when you only need the number of rows. ideally, you want to select every column anyway though as this is better. select the simplest column of your table, such the user_id to keep things light and efficient. 2. if isset($_POST['login']) should be if !empty($_POST) no need to cloud your post request with a form name. it should only have 2-3 query strings, the username and pass and optionally a csrf token. 3. use password_hash and password_verify for password hashing. please don't roll your own. 4. echoing exceptions are ok during testing. (continued) — r3wt, Jun 24 '14 at 03:23
#4(continued)don't do it during production. 5. don't store your sessions like that. instead, learn OOP, so that you can construct multidimensional user objects and store the information in a single session, keeping valuable database resources free for other tasks. ideally, you would get this information when the user attempts to login, requiring only a single query to perform all of the work. storing data in sessions like this ensures that the data is available for the duration of the users session without requiring extra calls to the database. 6. avoid writing spaghetti code, learn OOP. — r3wt, Jun 24 '14 at 03:27

score 1 · Answer 1 · answered Jun 24 '14 at 02:42

1

What you can do is look up the user in the database and then return row from the query. After you compare the password that was given by the user to authenticate and the one that the query returned then return them to where they need to go.

answered Jun 24 '14 at 02:42

Daemedeor

1,013
10
22

I've revised the code to this, which now allows me to properly authenticate. Is this the correct way to go about it, or am i doing something wrong (albeit i'm still getting the desired result)? Note: I only changed `"test"` for `$rows` - `if ($username = $rows && $password = $rows) { $_SESSION['username'] = $username; redirect('/add-property.php');} else { if (isset($_POST['login'])) { echo "Username or password incorrect"; }}` – Nikki Mather Jun 24 '14 at 02:52
There is no need to check the username because you're already searching for it right? but yeah essentially. – Daemedeor Jun 24 '14 at 03:45

score 0 · Answer 2 · answered Jun 24 '14 at 02:39

To find your bug, add this code instead of the catch in your code:

catch (PDOException  $e) {
    echo "Could not retrieve data from database ".$e->getMessage;
    exit();
}

You can also get your query sting to make sure it is correct like this:

echo $db->queryString;

score 0 · Answer 3 · answered Jun 24 '14 at 03:18

0

It seems that ($username == $rows && $password == $rows) is all i needed to change in the code to correctly authenticate the username and password.

answered Jun 24 '14 at 03:18

Nikki Mather

1,118
3
17
33

How to check username and password match

3 Answers3