0

I'm trying to redirect users to a view page (either admin or member) depending on if the password matches in the database. This is giving me the exact opposite of what I want and I'm not seeing the error. A blank form submission or incorrect username/password sends them to the admin page meanwhile correct inputs sends them to members. Why is this working backwards?

public function loginFunc()
    {
        $username = (string)$this->input->post('username');
        $password = (string)$this->input->post('password');

        if((strlen($username)<1)||(strlen($password)<1)){
            $blank = 1; 
        }

        $actualPass = (string)$this->db->query("SELECT password FROM usersas6 WHERE username = '$username' "); 



        if($actualPass == $password){
            header("Location: /CodeIgniter-3.1.7/index.php/admin");
        }else{
            header("Location: /CodeIgniter-3.1.7/index.php/members");
        }

    }
Peter
  • 71
  • 6
  • 1
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Mar 12 '18 at 17:55
  • Based on the code you've posted here you should not be seeing that behavior unless the `$password` is blank and the `$actualPass` is blank. What do you get when you echo those variables out? – Jay Blanchard Mar 12 '18 at 17:58
  • This may be a silly question but how would I echo out the variables in the control file? the way I usually do it I don't see anything – Peter Mar 12 '18 at 18:04
  • You would use `echo` and then you may need to `exit`. Comment out any redirection. – Jay Blanchard Mar 12 '18 at 18:07
  • I am also getting an error that this cannot be converted to a string $actualPass = (string)$this->db->query("SELECT password FROM usersas6 WHERE username = '$username' "); – Peter Mar 12 '18 at 18:08
  • so echo $actualPass; exit(); placed in the function? – Peter Mar 12 '18 at 18:09
  • Right after that statement `echo $password . ' ' . $actualPass; exit();` – Jay Blanchard Mar 12 '18 at 18:09
  • I get an error: A PHP Error was encountered Severity: 4096 This error points to the above line getting $actualPass Message: Object of class CI_DB_mysqli_result could not be converted to string – Peter Mar 12 '18 at 18:14
  • The query isn't returning what you expect it to return. Once you fix that everything will probably work as you expect it. See this https://stackoverflow.com/questions/15931716/error-object-of-class-ci-db-mysql-result-could-not-be-converted-to-string – Jay Blanchard Mar 12 '18 at 18:17
  • no relation to the question asked, but when i see this : `header("Location: /CodeIgniter-3.1.7/index.php/admin");` there already is a huge problem... use `redirect()` helper plz ^^ – kevinniel Mar 12 '18 at 18:27
  • I tried $this->db->select('password')->from('usersas6')->where('username',$username); $query = $this->db->get(); $actualPass = $query->result(); and I still get A PHP Error was encountered Severity: Notice Message: Array to string conversion – Peter Mar 12 '18 at 18:34

1 Answers1

0

The query method returns a result object from the database (like most libraries do). In CodeIgniter (CI), there is no direct single field to text method (you could write one, of course), but the easiest way to get the first row's string would be to aquire the first row and field from the array:

public function loginFunc()
{
    $username = (string)$this->input->post('username');
    $password = (string)$this->input->post('password');

    $blank = (strlen(trim($username))<1)||(strlen(trim($password))<1);

    // Get the database result object
    // USE ESCAPE SYNTAX TO PREVENT SQL INJECTION ATTACK!
    $actualPassRes = $this->db->query(
        "SELECT password FROM usersas6 WHERE username = '?' ",
        [$username]
    );

    $actualPass = null;

    // If database return at lease 1 result, get the
    // password column of the first row.
    if($actualPassRes->num_rows() > 0) {
        // Get the password field from the first row
        $actualPass = (string) $actualPassRes->first_row()->password;
    }

    // Compare with strict type comparison (===) to be sure
    if( !$blank && $actualPass !== null && $actualPass === $password ) {
        header("Location: /CodeIgniter-3.1.7/index.php/admin");
    }else{
        header("Location: /CodeIgniter-3.1.7/index.php/members");
    }

}

The way you were checking, it was matching boolean casted values (a database result object yields "true" and a non-empty, non-zero string returns "true"). An empty string (no input) vs no result from database likely the object yeilded a false value as well.

NOTE: As @jay-blanchard pointed out, in a production system you should be hashing the passwords, then comparing the hashs of both the stored hash and a hash of the user's input, not storing them as plain text that can easily be stolen.

Jim
  • 3,210
  • 2
  • 17
  • 23