Password System Not Doing Anything

Question

The code below is a login system. The username is Administrator and the Password is Password (You can change it later on) what it does now is after the form is sent it just displays the login page. I cant find anything wrong with it. Please help. The error_log file shows nothing. It might be the password not hashing correctly. As I set the password using

echo password_hash("password", PASSWORD_DEFAULT);

and just inserting the result.

<?php
session_start();
$message="";
require 'settings.php';


if(count($_POST)>0) {


$username = mysqli_real_escape_string($_POST['user_name']);
$password = mysqli_real_escape_string($_POST['password']);

$result = mysqli_query("SELECT * FROM members WHERE username='" . $username . "'");
$row = mysqli_fetch_array($result);
if(is_array($row)) {
$hash = $row['password'];
$passwordcheck = password_verify($password, $hash);
} 
if($hash == $passwordcheck){
$_SESSION["user_id"] = $row['id'];
$_SESSION["user_name"] = $row['username'];
} else {
$message = "Invalid Username or Password!";
}
if(isset($_SESSION["user_id"])) {
mysqli_query("DELETE * FROM LoginAttempts WHERE IP='".$ip."'"); 
header("Location:dashboard.php");
}
}
?>
<div class="panel-body">
                    <form name="frmUser" method="post" action="">
                        <fieldset>
                            <div class="form-group">
                                <input class="form-control" placeholder="Username" name="user_name" type="username" autofocus>
                            </div>
                            <div class="form-group">
                                <input class="form-control" placeholder="Password" name="password" type="password" value="">
                            </div>
                            <input type="submit" name="submit" value="Submit" class="btn btn-success btn-lg btn-block">
                        </fieldset>
                    </form>
                    <?php
                    if($locked == 'yes'){
                    echo "Sorry you are locked out of the system. Please try again in";
                    echo $timeleft;
                    }
                    ?>
                </div>

Edit: Now I get these errors: [15-Nov-2015 07:00:58 Europe/Moscow] PHP Warning: mysqli_connect(): (28000/1045): Access denied for user 'laughin1'@'176.31.10.37' (using password: NO) in /home/laughin1/public_html/admin/index.php on line 9 [15-Nov-2015 07:00:58 Europe/Moscow] PHP Warning: mysqli_select_db() expects exactly 2 parameters, 1 given in /home/laughin1/public_html/admin/index.php on line 10 [15-Nov-2015 07:00:58 Europe/Moscow] PHP Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/laughin1/public_html/admin/index.php on line 11 [15-Nov-2015 07:00:58 Europe/Moscow] PHP Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/laughin1/public_html/admin/index.php on line 12 [15-Nov-2015 07:00:58 Europe/Moscow] PHP Warning: mysqli_query() expects parameter 1 to be mysqli, boolean given in /home/laughin1/public_html/admin/index.php on line 14 [15-Nov-2015 07:00:58 Europe/Moscow] PHP Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, null given in /home/laughin1/public_html/admin/index.php on line 15

BUT if I change the MySQLi To MySQL everything is fine.

try `var_dump` your `$row`, what does it show? Also, after the line of `header`, it is better to add `exit()` — Andrew, Nov 15 '15 at 01:52
Yes. It is defiantly something wrong with the hashing because if I dehash the passwords it works. — , Nov 15 '15 at 01:55
you use `password_verify` to verify the password, you dont hash the login password again because it will generate a whole new password, thats why it doesn't match — Andrew, Nov 15 '15 at 02:01
@andrew thanks. However how do I check the password using the hash if that is stored in the password I previously hashed. — , Nov 15 '15 at 02:31

score 0 · Accepted Answer · edited May 23 '17 at 10:27

0

When user register, you will use password_hash to hash their password and store in the database, and when a user try to login, you use password_verify to verify their password

Procedure:

register->password_hash()->save_in_db()
login->fetch_hash_column_from_their_username->password_verify()
if verified->set_session->redirect, else stay_in_the_same_page

Add some validation to your form, so that user cannot hit your database constantly which create high payload and prevent (slightly) some protection to your site

Also, after this line

header("Location:dashboard.php");

Add

exit();

For more info about why, click here Why I have to call 'exit' after redirection through header('Location..') in PHP?

Update:

password_verify accept two argument, ( string $password , string $hash ), you will put login password as the first argument, and put the hash stored from your database into the second argument. It will return true if match else return false

edited May 23 '17 at 10:27

Community

1
1

answered Nov 15 '15 at 02:15

Andrew

2,810
4
18
32

Does that mean I have to write two queries. 1. Getting the hash using the only user (this would be row['password'];) then verify using the now gathered hash and then check the now verified password with the one in the database? @Andrew – Nov 15 '15 at 02:52
Theres only one query, fetch the hash from the form's username, so sth like `SELECT hash FROM user_table WHERE username = x`, and then you can verify the password using the `password_verify` – Andrew Nov 15 '15 at 02:56
I saw one mistake..should be `if ($passwordcheck === true)` – Andrew Nov 15 '15 at 03:04
why 3 === ? Also thanks for your help this has been really needed. – Nov 15 '15 at 03:05
@user3579312 `==` compare exclude type, and `===` compare with type ...you can also write as `if ($passwordcheck)`, From doc: http://php.net/manual/en/language.operators.comparison.php – Andrew Nov 15 '15 at 03:09
I would be delighted to upvote. The solution works and I will also add parts to the password changing section. Cheers! – Nov 15 '15 at 03:25
now it shows heaps of errors. I have listed them in the OP could you assist. – Nov 15 '15 at 04:05
@user3579312 it would be better to open as another question as this looks like its about connection problem...did you alter your connection ? I use `PDO` so it may differ from my experience – Andrew Nov 15 '15 at 04:06

score 0 · Answer 2 · edited Jun 20 '20 at 09:12

0

Adding to the password_verify comment by Andrew

$encryptPassword = password_hash($users-signup-password, PASSWORD_BCRYPT);

The value in $encryptedPassord is stored in DB (typically), ie: on successful user signup.

On Login fetch the user's hash, typical select would be on email assuming that's the unique identifier for users

$hash = findUserByEmail($email); // dummy function, you implement this

$isAuth = password_verify($users-login-password, $hash);

See http://php.net/manual/en/function.password-verify.php

TIP: if the $isAuth is true then you should store a new hash of the password in the db, better to have dynamic hashes for each password.

edited Jun 20 '20 at 09:12

Community

1
1

answered Nov 15 '15 at 02:28

jasonlam604

1,456
2
16
25

There is only one user. This is for a administration panel. – Nov 15 '15 at 02:33
exit prevents the remainder of the page to execute... the header just redirects. – jasonlam604 Nov 15 '15 at 02:42

Password System Not Doing Anything

2 Answers2