0

Having issues authenticating users on a sqlsrv/php login script, I'm pretty sure the user I'm trying do exist on the database but get the message user's not found. Here my 2 script to authenticate the user's login.

[Login.html]

<html>
<head>
</head>
<body>
    <form name="log" action="log_action.php" method="post">
    Username: <input class="form" type="text" name="uName"><br />
    Password: <input class="form" type="password" name="uPass"><br />
    <input name="submit" type="submit" value="Submit">
    </form>
</body>
</html>

[log_action.php]

<?php
session_start();

ini_set('display_errors', 1);
error_reporting(~0);

include 'connect.php';
 
$uN = $_POST['uName'];
$uP = $_POST['uPass'];

$sql = "SELECT * FROM Person.lgn WHERE user_name = '".$uN."'";
$resultpwd = $conn->query($sql);
$rowpwd = $resultpwd->fetch(PDO::FETCH_ASSOC);
$hash_pwd = $rowpwd['user_pass'];
$hash = password_verify($uP,$hash_pwd);

if ($hash == 0){
    echo 'ERROR LOGIN';

    }else{
        $query = "SELECT * FROM Person.lgn WHERE user_name = '".$uN."' AND user_pass = '".$hash_pwd."' ";

        $result = $conn->query($query);
    }

    if(sqlsrv_has_rows($result) != 1){
            echo "</br>";
            echo "User not found or password is not correct";
        }else{
            while ($row = $result->fetch(PDO::FETCH_ASSOC)){
            echo $row['user_name'];
            echo "</br>";
            echo $row['user_pass'];

            }

            header("Location: list.php");
        }
 
?>

EDITED But it doesn't work neither get somewhere an error!

This page isn’t working

pacificosrv is currently unable to handle this request.
HTTP ERROR 500
Kelvin Morel
  • 63
  • 2
  • 10
  • 3
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 28 '17 at 20:43
  • 2
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 28 '17 at 20:43
  • Can you post the table schema for "Person.lgn"? – Cyril Graze Jul 28 '17 at 20:48
  • If you hashed the passwords on `insert` the `$_POST['uPass']` wouldnt match it with this `select`. – chris85 Jul 28 '17 at 20:50
  • Person.lgn `USE [AdWorks] GO SELECT [user_id] ,[user_name] ,[user_pass] ,[user_type] FROM [Person].[lgn] GO` – Kelvin Morel Jul 28 '17 at 20:52

1 Answers1

0

Ok guys, found a way to do it, really basic but couldn't see the logic on it, I'm getting an issue but isn't really important for my presentation, when the authentication failed I get a BLANK page instead of "Authentication failed" message.

[EDITED]

<?php

session_start();

ini_set('display_errors', 1);
error_reporting(~0);

include 'connect.php';

$uNa = $_POST['uName'];
$uPa = $_POST['uPass'];

if(empty($uNa) OR empty($uPa)){

    echo "Fill all the fields!";

    }else{

        $query = "SELECT * FROM Person.users WHERE user_name = :name AND user_pass = :pw";

        $result = $conn->prepare($query);

        $result->execute([':name' => $uNa, ':pw' => $uPa]);

        while ($row = $result->fetch(PDO::FETCH_ASSOC)){

            echo $row['user_id'];
            echo '</br>';
            echo $row['user_name'];
            echo '</br>';
            echo $row['user_pass'];

            if($row['user_name'] === $uNa AND $row['user_pass'] === $uPa){

                $uid = $row['user_name'];

                $_SESSION[valid_user] = $uid;

                header("Location: list.php");

                }else{

                    echo 'Authentication failed';
            }   

        }   

    }
?>
Kelvin Morel
  • 63
  • 2
  • 10
  • 1
    As others have mentioned please dont use this script on any live server since it is vulnerable to SQL injection. Simply use the following code to make it safe: `$query = "SELECT * FROM Person.users WHERE user_name = :name AND user_pass = :pw"; $result = $conn->prepare($query); $result->execute([':name' => $uNa, ':pw' => $uPa]);` – Christoph Kappestein Jul 29 '17 at 06:28
  • This morning I got this to work on my test server at home, so now I've copied to the PREPROD server but I'm getting `Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: [Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Cannot initi.. the data source object of OLE DB provider "DB2OLEDB" for linked server "AS400".' in C:\inetpub\wwwroot\preprod\log_action.php:21 Stack trace: #0 C:\inetpub\wwwroot\preprod\log_action.php(21): PDOStatement->execute(Array) #1 {main} thrown in C:\inetpub\`. I don't get it. It's exactly the same script. – Kelvin Morel Jul 29 '17 at 20:04
  • BTW I do have access to catalog of the linked server into `MS SQL Server Management Studio`, I can run queries and created views. – Kelvin Morel Jul 29 '17 at 20:11
  • Found 'sa' SQL user didn't have access AS400 linked server. **SOLVED** – Kelvin Morel Jul 29 '17 at 20:30