0

I have successfully managed to store a hashed password in my database when the user creates an account, however, when they goto login ,with the correct password it returns the 'wrong password' error message i implemented.

$username = ($_REQUEST['username']); 
$password = ($_REQUEST['password']);

if(isset($username) && isset($password)){
        
    $sql = "SELECT password FROM users WHERE username = '$username';";
    $result = mysqli_query($con, $sql);
    $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
    $storedpw = $row['password'];
    
    //checking the stored pw against the enetered one
    if(password_verify($password, $storedpw)) {
        mysqli_close($con);
        $_SESSION["userVal"] = $username;
        $_SESSION["user_image"] = $image;
        header("location: adminPage.php");
    } else {
        $errmsg = "Invalid Username or Password.";
    }
}

When i run this i am being given the error message from php

[Mon May 30 14:14:10.631018 2016] [:error] [pid 7928:tid 1492] [client ::1:54231] PHP Notice: Undefined index: username in D:\UniServerZ\www\GRADEDUNIT1\login2.php on line 19

[Mon May 30 14:14:10.631018 2016] [:error] [pid 7928:tid 1492] [client ::1:54231] PHP Notice: Undefined index: password in D:\UniServerZ\www\GRADEDUNIT1\login2.php on line 20

[Mon May 30 14:14:10.631018 2016] [:error] [pid 7928:tid 1492] [client ::1:54231] PHP Notice: Undefined variable: errmsg in D:\UniServerZ\www\GRADEDUNIT1\login2.php on line 106

However when i echo out the variables they are defined. from the login form

<form action="" method="post">
    <input type="text" name="username" placeholder="Username" class="input" />
    <input type="password" name="password" placeholder="Password" class="input" />
    <br/><br/>
    <!--<div class="g-recaptcha captcha" data-sitekey="6LcLdyATAAAAAE3WODrfikLzWadSCUKzhfuxFEXf"></div>
    <br/>-->
    <input type="submit" class="button button-primary" value="Log In" id="login"/> 
</form>

So my ultimate question is why is this returning false when it should be a match? I have written out the MySQL statement and checked it, it seems fine! I stuck.

Community
  • 1
  • 1
red_starz
  • 49
  • 7
  • Please provide code around lines 19, 20 and 106 in `login2.php` file – Justinas May 30 '16 at 13:21
  • 1
    You code is vulnerable to [SQL Injection](https://www.owasp.org/index.php/SQL_Injection) e.g. because of `WHERE username = '$username';`. Please use [Prepare](http://php.net/manual/en/mysqli.prepare.php) to build your queries, instead of adding external parameters directly to your query. – Manfred Radlwimmer May 30 '16 at 13:21
  • Some sensible code indentation would be a good idea. It help us read the code and more importantly it will help **you debug you code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly May 30 '16 at 13:24
  • You are supposed to check that things like `$_REQUEST['username']` exist before using them i.e. `isset($_REQUEST['username'])` NOT test the field you failed to load from `$_REQUEST['username']` – RiggsFolly May 30 '16 at 13:27
  • If `$_REQUEST['username']` is `Undefined index: username` then `$username` will also contain NOTHING and the query will not do as you expect – RiggsFolly May 30 '16 at 13:28
  • if both the $_REQUEST values are NOT SET then it will not even get into this `if(isset($username) && isset($password)){` statement – RiggsFolly May 30 '16 at 13:29
  • I do like to present neat code, i understand the importance of it. When I am building it tends to go awry and on presentation I tidy it up. I am still a student, i understand what this code does and how it does it however this is stumping me. The lines of code : $username = ($_REQUEST['username']); $password = ($_REQUEST['password']); are lines 19 and 20 – red_starz May 30 '16 at 13:31
  • They are set though, that is what is confusing me, when i echo them out to check they return what the user would have entered. – red_starz May 30 '16 at 13:32

0 Answers0