0

Edited: The question that the moderator flagged as 'Already Answered' did NOT answer this question. However, Chris Haas did.

I keep getting the error on line 39 that I do not have a valid username or password, but I am not sure where I am missing the proper logic. Any assistance would be appreciated.

<?php
$configs = include('../hidden/config.php');

echo 'Hello from jslogin.php';

if(isset($_POST)){

    /* Login values from user */
    $username   = $_POST['username'];
    $password   = password_hash($_POST['password'], PASSWORD_DEFAULT);

    /* Define DB variables */
    $db_host        = $configs['db_host'];
    $db_user        = $configs['db_user'];
    $db_password    = $configs['db_password'];
    $db_name        = $configs['db_name'];

    /* Connect to DB */
    $dbc = new mysqli($db_host, $db_user, $db_password, $db_name) 
    or die('Error connecting to Database.');

    /* Prepare and bind the statements */
    $stmt = $dbc->prepare("SELECT first_name FROM user_reg where username=? AND password=?");
    $stmt->bind_param("ss", $username, $password);

    /* Execute prepared statements and interpolate parameterized values*/
    $stmt->execute();

    /* Get result and number of rows returned */
    $result = $stmt->get_result();
    $count = $result->num_rows;

    /* Check to see if statement returned 1 row and pass/fail accordingly and grab firstname*/
    if($count == 1){
        $firstname = $result;
        alert("$firstname Successfully Logged In.");
    }else
    {
        echo 'You need to enter a valid username and/or password!!!';
    }

}
user2654953
  • 221
  • 1
  • 3
  • 11
  • 3
    You need to use [`password_verify`](https://3v4l.org/oFG3I) when comparing hashes. Modern password hashes include salt which is unique each time. So select the user based on name only, then compare the provided plain text password with what is in the DB using that function. – Chris Haas Jul 15 '22 at 04:02
  • 1
    Thx Chris. They closed the question, because they thought the referenced question answered my question. It did not! However, you did point me in the right direction. Once I performed a bind_param() and a fetch() and validated with password_verify it worked! I would give you a resolved...but they closed the question. – user2654953 Jul 15 '22 at 21:16
  • 1
    one of the flaws of this site is that some of us, myself included, can see why it is a duplicate, but it isn’t always obvious to everyone, and there’s no right or wrong. I personally have 20+ years experience, and I have no idea how that aligns with your life journey, but my “obvious” and yours might be years or decades apart. Although I agree with the closure (this is not a passive attack on the closer, either, I’ve got total respect for you!), I always hope that you won’t take this as a negative experience but instead a learning opportunity! – Chris Haas Jul 16 '22 at 02:40

0 Answers0