-2

I try to save the username into a session called $_SESSION['Username'] when the admin is logging in. On my localhost it's working fine, but on the server it is not. I also tested if SESSIONS can be saved in general and it is working, even over multiple sites. Also the $_SESSION['example'] is working fine and I can reach it on other sites of the server.

The $_SESSION['test1'] and $_SESSION['test2'] also won't be saved so I guess it's not even reaching the if-statements. The password I tested is also correct.

   <?php
session_start();
/*if (isset($_SESSION["Username"])) {
    header('location: dndStill.php');
    exit;
}
*/?>

<!DOCTYPE html>
<html>
<head>
    <title>Anmelden</title>
    <link rel="stylesheet" type="text/css" href="css/galleryLogin.css">
</head>
<body>
<div class="loginAll">
    <form action="loginGallery.php" method="post" class="loginForm">
        <div class="loginFeld">
            <input type="text" name="username" placeholder="Nutzername" required>
        </div>
        <div class="loginFeld">
            <input type="password" name="password" placeholder="Passwort" required>
        </div>
        <div class="input-group">
            <button type="submit" class="login" name="submit">Login</button>
        </div>
    </form>
</div>

<?php
if (isset($_POST["submit"])) {
    require_once "dbconnect_simple.php";
    $username = ($_POST['username']);
    $password = ($_POST['password']);
    $password = md5($password);

    $query = "SELECT * FROM nutzer WHERE nutzername= ? AND passwort= ? LIMIT 1";
    $stmt = $mysqli->prepare($query);
    $stmt->bind_param("ss", $username, $password);
    $stmt->execute();
    $result = $stmt->get_result();
    if (mysqli_num_rows($result) == 1) {
        while($row = $result->fetch_array()) {
            if ($password === $row["passwort"]) {
                $_SESSION["Username"] = $row["nutzername"];
                //header("Location: dndFood.php");
            } else {
                echo'Falsches Passwort oder Nutzername';
                $_SESSION['Fehler 1'] = "Fehler1";
            }
        }
    } else {
        echo 'Falsches Passwort oder Nutzername';
        $_SESSION['Fehler 2'] = "Fehler2";
    }
}
?>

<?php '<pre>' ;
$_SESSION['example'] = "example";
print_r($_SESSION);
'</pre>';
?>

</body>
</html>
CoreIce
  • 15
  • 5
  • 1
    to set sessions you prior session_start(); also take a look at password hashing https://www.php.net/manual/en/book.password.php you should never store plain passwords – nbk Oct 10 '20 at 18:54
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Oct 10 '20 at 19:26

1 Answers1

-1

Your password verification code is not correct, see below for the correction:

  1. Do not check for password in the SQL query, only check for username, email, or full name from the database: corrected SQL:

     $query = "SELECT * FROM nutzer WHERE nutzername= ? LIMIT 1";

From:

$result = $stmt->get_result();
if (mysqli_num_rows($result) == 1) {
    while($row = $result->fetch_array()) {
        if ($password === $row["passwort"]) {
            $_SESSION["Username"] = $row["nutzername"];
            //header("Location: dndFood.php");
        } else {
            echo'Falsches Passwort oder Nutzername';
            $_SESSION['Fehler 1'] = "Fehler1";
        }
    }
}

Corrected to:

$query = "SELECT * FROM nutzer WHERE nutzername= ? LIMIT 1";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $username);
$stmt->execute();
$result = $stmt->get_result();
$fetch_assoc = mysqli_fetch_assoc($result);
if (mysqli_num_rows($result) > 0) {
    $verify_password = password_verify($password_from_post_request, $fetch_assoc["password_field_in_the_database"]);
    if ($verify_password) {
        $_SESSION["Username"] = $fetch_assoc["nutzername"];
        //header("Location: dndFood.php");
    } else {
        echo'Falsches Passwort oder Nutzername';
        $_SESSION['Fehler 1'] = "Fehler1";
    }
} else {
    echo'Sorry, your account could not be found';
    $_SESSION['Fehler 1'] = "Fehler1";
}

Code Written in Procedural PHP:

$query = "SELECT * FROM nutzer WHERE nutzername=? LIMIT 1";
$stmt = mysqli_stmt_init($connection);
mysqli_prepare($stmt, $query);
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);

$result_set = mysqli_stmt_get_result($stmt);
$fetch_assoc = mysqli_fetch_assoc($result_set);
if (mysqli_num_rows($result_set) > 0) {
    $verify_password = password_verify($password_from_post_request, $fetch_assoc["password_field_in_the_database"]);
    if ($verify_password) {
        $_SESSION["Username"] = $fetch_assoc["nutzername"];
        //header("Location: dndFood.php");
    } else {
        echo 'Falsches Passwort oder Nutzername';
        $_SESSION['Fehler 1'] = "Fehler1";
    }
} else {
    echo 'Sorry, your account could not be found';
    $_SESSION['Fehler 1'] = "Fehler1";
}

The password verify is the PHP function to verify password with the ones in the database, it will hash the incoming user password and compare it with the already hashed password in the database, but make sure to use password_hash to hash password before saving it in the database

Paulos Ab
  • 319
  • 4
  • 16
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackoverflow.com/rooms/222879/discussion-on-answer-by-amusa-abayomi-paul-cant-save-fetched-row-item-into-a-se). – Samuel Liew Oct 12 '20 at 03:20