Wrong Username/Password Message though the record exists in the database

Question

I just started off with PHP and attempted to make a simple login and sign-up page. The sign-up module works perfectly with the records being successfully being inserted into the database. But, whenever I try to log in, it always throws me a wrong password/username combination. I am really new to web development so I am not looking for advice on SQL injections and other security-related issues. Could someone just tell me how I could make this work using PHP and MySQL only. I am using the XAMPP server with phpMyAdmin. Here is my Config.php file which I use to validate the data I accept through the forms.

<?php
  session_start();

  //variable declaration
  $email = "";
  $name = "";
  $batch = "";
  $password = "";
  $errors = array();
  $_SESSION['success'] = "";

  //connect to database
  $conn = mysqli_connect('localhost', 'root', '', 'timetable');

  //Register User
  if(isset($_POST['reg_user']))
  {
      $email = mysqli_real_escape_string($conn, $_POST['email']);
      $name = mysqli_real_escape_string($conn, $_POST['name']);
      $batch = mysqli_real_escape_string($conn, $_POST['batch']);
      $password_1 = mysqli_real_escape_string($conn, $_POST['password_1']);
      $password_2 = mysqli_real_escape_string($conn, $_POST['password_2']);

      //form validation
      if($batch != 2016 || $batch != 2017 || batch != 2018 || batch != 2019)
      {
        array_push($errors, "Batch should be one of 2016/2017/2018/2019.");
      }

      if($password_1 != $password_2)
      {
        array_push($errors, "The two passwords do not match.");
      }

      if(count($errors) == 0)
      {
          $password = hash('sha512', $password);
          $query = "INSERT INTO chairperson(email, name, batch, password)
                    VALUES('$email', '$name', '$batch', '$password')";
          mysqli_query($conn, $query);
          $_SESSION['email'] = $email;
          $_SESSION['success'] = "You are now logged in.";
          header('location: index.php');
      }
  }

  //Login user
  if(isset($_POST['login_user']))
  {
      $email = mysqli_real_escape_string($conn, $_POST['email']);
      $password = mysqli_real_escape_string($conn, $_POST['password']);

      if(count($errors) == 0)
      {
          $password = hash('sha512', $password);
          $query = "SELECT * FROM chairperson WHERE email='$email' AND password='$password'";
          $results = mysqli_query($conn, $query);
          if(mysqli_num_rows($results) == 1)
          {
              $_SESSION['success'] = "You are now logged in.";
              $_SESSION['email'] = $email;
              header('location: index.php');
          }
          else
          {
              array_push($errors, "Wrong username/password combination.");
          }
      }
  }
?>

**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, Oct 12 '19 at 09:40
[How to get the error message in MySQLi?](https://stackoverflow.com/a/22662582/1839439) — Dharman, Oct 12 '19 at 09:41
"*I am not looking for advice on SQL injections and other security-related issues*" I am sorry, but that is just irresponsible. Why would you learn the worst practices which you need to forget straight away. Start with the basics and learn prepared statements and passwords hashing. You should also read a good tutorial on mysqli: https://phpdelusions.net — Dharman, Oct 12 '19 at 09:42
@Mahesh, that isn't the case. I tried logging in with only one one record present in the database and still gave me incorrect username/password message. — Neel, Oct 13 '19 at 02:57

Popescu Ion · Accepted Answer · 2019-10-13T08:17:33.087

<?php
  session_start();

  //variable declaration
  $email = "";
  $name = "";
  $batch = "";
  $password = "";
  $errors = array();
  $_SESSION['success'] = "";

  //connect to database
  $conn = mysqli_connect('localhost', 'root', '', 'timetable');

  //Register User
  if(isset($_POST['reg_user']))
  {
      $email = mysqli_real_escape_string($conn, $_POST['email']);
      $name = mysqli_real_escape_string($conn, $_POST['name']);
      $batch = mysqli_real_escape_string($conn, $_POST['batch']);
      $password_1 = mysqli_real_escape_string($conn, $_POST['password_1']);
      $password_2 = mysqli_real_escape_string($conn, $_POST['password_2']);

      //form validation
      if(($batch != 2016) && ($batch != 2017) && ($batch != 2018) && ($batch != 2019))
      {
        array_push($errors, "Batch should be one of 2016/2017/2018/2019.");
      }

      if($password_1 != $password_2)
      {
        array_push($errors, "The two passwords do not match.");
      }

      if(count($errors) == 0)
      {
          $password = password_hash($password,PASSWORD_BCRYPT);
          $query = "INSERT INTO chairperson(email, name, batch, password)
                    VALUES('$email', '$name', '$batch', '$password')";
          mysqli_query($conn, $query);
          $_SESSION['email'] = $email;
          $_SESSION['success'] = "You are now logged in.";
          header('location: index.php');
      }
  }

  //Login user
  if(isset($_POST['login_user']))
  {
      $email = mysqli_real_escape_string($conn, $_POST['email']);
      $password = mysqli_real_escape_string($conn, $_POST['password']);

      if(count($errors) == 0)
      {
          $query = "SELECT * FROM chairperson WHERE email='$email' ";
          $results = mysqli_query($conn, $query);
          if(mysqli_num_rows($results) == 1)
          {
              $row=mysqli_fetch_assoc($results);
              if(password_verify($password, $row['password']))
              {
                 $_SESSION['success'] = "You are now logged in.";
                 $_SESSION['email'] = $email;
                 header('location: index.php');
              }
              else
              {
                 array_push($errors, "Wrong username/password combination.");
              }
          }
          else
          {
              array_push($errors, "Wrong username/password combination.");
          }
      }
  }
?>

No, this doesn't work too. I am still getting the same incorrect Username/Password combination message. — Neel, Oct 13 '19 at 02:56
Ok. So I edited my comment and incorporated it directly into ur code, because I think u were encrypting the password on login. Try it again. — Popescu Ion, Oct 13 '19 at 08:18

Wrong Username/Password Message though the record exists in the database

1 Answers1