0

I'm trying to develop a login form using HTML, PHP, and SQL. I'm scratching my head on trying to figure out what my issue is and how to fix it as I'm relatively new to PHP, so I'd appreciate some help. What I want to do is to check if the user's input on the HTML login form (in this case the password) matches the hashed password that is stored inside the database.

However, I'm currently having an issue where it doesn't do that. The code should verify the password and if it is correct, it should echo "password and username match" else it should echo "incorrect password" however the code does not echo anything.

Here is what I've tried:

get password using username

I am using PHP's password_hash plugin to hash and verify the user's password.

So my question is, how do I securely verify the user's input (the password) with the hashed password that is stored inside the database?

Here is the PHP code:

if($_SERVER["REQUEST_METHOD"] == "POST") {
    //declare variables and set values to null
    $username = $pass = "";
    $username = $_POST['username'];
    $pass = $_POST['pass'];

    //check if username exists
    $stmt = $conn->prepare("SELECT userName FROM userDetails WHERE userName=?");
    $stmt->bind_param("s", $prepname);
    $prepname = $username;
    $stmt->execute();

    $result = $stmt->get_result();
    if ($result->num_rows > 0) {
        //if username exists, check if password is linked to user
        echo "user exists";
        $stmt = "SELECT userPass FROM userDetails WHERE userName=?";
        $stmt->bind_param("s", $prepname);
        $prepname = $username;
        $hashpass = $stmt->execute();

        $stmt->bind_result($hashpass);
        $stmt->fetch();
        if (password_verify($pass, $hashpass)) {
            echo "password and username match";
        }
        else {
            echo "incorrect password";
        }
    } 
    else {
        echo "That user does not exist!";
        return false;
    }
}

EDIT: Thanks to @Jovi, I have fixed the previous error however I am now recieving a new error:

Warning: Illegal string offset 'userPass' in /home/toeaimc2/public_html/php/pages/login.php on line 75

EDIT: @Jovi has now solved the problem! Thank you to everyone for their help!

mikedevv
  • 17
  • 7
  • Have you checked if you're at least getting the complete hashed password from the database? The password column being too short is a common problem – Joni Apr 14 '20 at 11:38
  • did you debug this? What is the content of $hashpass? Probably an associative array like this: $hashpass["userPass"]. If that is true then you would need to write something like "if (password_verify($pass, $hashpass["userPass"])) { .... – rf1234 Apr 14 '20 at 11:39
  • @Joni I've tried echoing the result of the selection with echo $result; however it does not echo anything. I've also tried wrapping $result in quotes. So for example, echo "$result"; and still no output. – mikedevv Apr 14 '20 at 11:43
  • @rf1234 I've applied your suggestion however I still get the same issue :( – mikedevv Apr 14 '20 at 11:46
  • You're calling bind_param on a string, how does this not give you a fatal error? Do not have error reporting enabled? `$stmt = "SELECT userPass FROM userDetails WHERE userName=?"; $stmt->bind_param("s", $prepname);` – Joni Apr 14 '20 at 11:51
  • @rf1234 wont hashing the user input result in a different hash though? Therefore meaning that I can't compare them since they are different? – mikedevv Apr 14 '20 at 11:52
  • @Joni no, I don't have error reporting enabled..... I'm relitively new to PHP so could you show me how to enable it? Thanks. – mikedevv Apr 14 '20 at 11:54
  • sorry, my previous comment was crap! password_verify works using a clear text password and a hashed password from the database. Just checked my own code. – rf1234 Apr 14 '20 at 11:57
  • See https://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display – Joni Apr 14 '20 at 12:00
  • As @Joni politely points out: You have some more or less serious error in your code and you should be able to see this in your browser's console looking at the Network tab in Chrome for example. Otherwise use your debugger. Without a debugger you'll be lost anyway. So I'd rather get that started in the first place ... Good luck. – rf1234 Apr 14 '20 at 12:03
  • @Joni I have enabled error reporting and now I recieve a fatal error. I have edited the question to now show the error that I am recieving. Can you see if you can help? Many thanks – mikedevv Apr 14 '20 at 13:29
  • What have you tried to debug the problem? Most recently, you run a method on a string(!) which is obviously not working – Nico Haase Apr 14 '20 at 13:38
  • @NicoHaase Joni has already helped me fix the error I was previously having. However I am now recieving a new error. Please see the edit to my question. Thanks – mikedevv Apr 14 '20 at 13:55
  • You've attached a new error message, but you should also add your debugging attempts – Nico Haase Apr 14 '20 at 14:05

1 Answers1

1

You are calling the bind_param method on a string, it should be a statement object.

You are missing the method call to create the prepared statement object for the query that extracts the password:

    $stmt = $conn->prepare("SELECT userPass FROM userDetails WHERE userName=?");
    $stmt->bind_param("s", $prepname);
Joni
  • 108,737
  • 14
  • 143
  • 193
  • Thank you for your answer, I have applied your suggestion however I am getting a new error: Warning: Illegal string offset 'userPass' in /home/toeaimc2/public_html/php/pages/login.php on line 75. Any idea on what this means? Sorry for the questions. I'm relitively new to PHP :) More specifically, It's on line 75. I'll edit the question to reflect the error. – mikedevv Apr 14 '20 at 13:40
  • Your original code was correct. change `password_verify($pass, $hashpass["userPass"])` back to `password_verify($pass, $hashpass)` – Joni Apr 14 '20 at 13:59