0

this is my login.php page

 <?php echo $loginError; ?>

        <form class="form-inline" action="<?php echo htmlspecialchars( $_SERVER['PHP_SELF'] ); ?>" method="post">

            <div class="form-group">
                <label for="login-username" class="sr-only">Username</label>
                <input type="text" class="form-control" id="login-username" placeholder="username" name="username">
            </div>
            <div class="form-group">
                <label for="login-password" class="sr-only">Password</label>
                <input type="password" class="form-control" id="login-password" placeholder="password" name="password">
            </div>
            <button type="submit" class="btn btn-default" name="login">Login!</button>

        </form>

And this is the where I verify the password

if( isset( $_POST['login'] ) ) {

// build a function to validate data
function validateFormData( $formData ) {
    $formData = trim( stripslashes( htmlspecialchars( $formData ) ) );
    return $formData;
}

// create variables
// wrap the data with our function
$formUser = validateFormData( $_POST['username'] );
$formPass = validateFormData( $_POST['password'] );

// connect to database
include('connection.php');

// create SQL query
$query = "SELECT username, email, password FROM users WHERE username='$formUser'";

// store the result
$result = mysqli_query( $conn, $query );

// verify if result is returned
if( mysqli_num_rows($result) > 0 ) {

    // store basic user data in variables
    while( $row = mysqli_fetch_assoc($result) ) {
        $user       = $row['username'];
        $email      = $row['email'];
        $hashedPass = $row['password'];
    }

    // verify hashed password with the typed password
    if( password_verify( $formPass, $hashedPass ) ) {

        // correct login details!
        // start the session
        session_start();

        // store data in SESSION variables
        $_SESSION['loggedInUser'] = $user;
        $_SESSION['loggedInEmail'] = $email;

        header("Location: profile.php");

    } else { // hashed password didn't verify

        // error message
        $loginError = "<div class='alert alert-danger'>Wrong username / password combination. Try again.</div>";

    }

} else { // there are no results in database

    $loginError = "<div class='alert alert-danger'>No such user in database. Please try again. <a class='close' data-dismiss='alert'>&times;</a></div>";

}

// close the mysql connection
mysqli_close($conn);

}

?>

But the problem is that it is always return "Wrong password/username combination" .It seems that the problem is inside the password_verify() method. I have set the password at 255 VARCHAR and also my php version is 7.0.2

Anna Noukou
  • 23
  • 6

2 Answers2

0

The first problem I would address is the escaping, the password input should not be escaped, it is safe to call the password_hash() function with the raw input. So don't call validateFormData(), just use password_hash($_POST['password']). The same goes for password_verify() of course. Validation of input is a good thing, but not escaping, this should be done as late as possible for only the specific target system.

Another problem in your code, could be duplicate usernames. If you not check explicitely for existing usernames, you could have duplicates, and then it is pure chance whose password hash you get. I would think about using the email as id instead.

Finally your code is vulnerable to SQL-injection, think about using prepared statements. An example you can find in this answer.

Community
  • 1
  • 1
martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
0
$formPass = validateFormData( $_POST['password'] );

// connect to database
include('connection.php');

The include statement is put after you took the password. So the $password variable must be overwritten with your database password.

Nabeel Muhammed N
  • 1
  • 2