0

I've started a PHP & PDO login system and I'm not sure what's wrong with it, whenever I enter the details in the form (either correctly or incorrectly) it doesn't get to the echo - even if the record exists.

I've got the registration part of it working, but with the login I'm not sure what's wrong. At the moment I'm currently just trying to get it working so I'm trying to keep it very basic.

UPDATE: Fixed, was related to the database structure, not the code.

Exhibitioner
  • 123
  • 11
  • 1
    When you call `fetch()`, the value of `$rows` will either be `false` (if no rows returned) or it will be an array. The `$rows > 0` is therefore not meaningful (though it still will do _something_). Check the output from `var_dump($rows)` And if you get _no output_ at all, ensure you have error reporting enabled PDO errors silently by default. `$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);` and turn on display_errors. At the top of your script (always when developing and testing) `error_reporting(E_ALL); ini_set('display_errors', 1);` – Michael Berkowski Mar 14 '15 at 14:55
  • Once you have PDO working correctly, you will want to look at [How to use bcrypt for password hashing](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php), for strong, secure methods of password storage. – Michael Berkowski Mar 14 '15 at 14:57
  • var_dump($rows) returns bool(false) – Exhibitioner Mar 14 '15 at 14:58
  • You should not use mysqls `root` account for a normal application. – arkascha Mar 14 '15 at 14:58
  • And you should _never_ store passwords inside your database! Be it in plain text or encrypted, _do not do that_! You put your users accounts at risk for no reason at all. You should store _a hash of the password_ using a good and salted hashing algorithm. To authenticate someone you compare hashes. That makes it impossible to directly steal passwords from your server. – arkascha Mar 14 '15 at 14:59
  • Michael - Yes, I will be looking into further hashing and how I will go about that but for now currently focusing on getting it working, arkascha - This project is currently only available on my local machine as it is under development, however why do you not recommend it's usage? The passwords are currently hashed in the database with SHA1 however this is only temporary. – Exhibitioner Mar 14 '15 at 15:01
  • @Exhibitioner I understand it's only temporary, that's why I suggest looking into bcrypt once the PDO part is sorted out. SHA1 is no longer considered secure enough for password storage, especially without a salt. The PHP function `password_hash()` is considered the current best practice. – Michael Berkowski Mar 14 '15 at 15:04
  • So `bool(false)` on `$rows` indicates no matching row was found. Debug by directly inserting string values for the fname and the sha1 hash of the input password as quoted strings. Check your database in a MySQL client application (outside the context of PHP) to inspect the values there and make sure they match your inputs, and that they have nothing strange like leading/trailing whitespace. – Michael Berkowski Mar 14 '15 at 15:07
  • Just released that half of the password hash was getting cut off on registration, looks like its working now. Thanks – Exhibitioner Mar 14 '15 at 15:25
  • Is it not count($row) – Alaksandar Jesus Gene Mar 14 '15 at 15:27
  • $rows = $result->fetch(PDO::FETCH_NUM); if($rows > 0){ } is working fine for me now – Exhibitioner Mar 14 '15 at 15:32

1 Answers1

0

You can't include a HTML file, It must be a .php file to run your php code.

Also you need to put your params in quotes.

    <?php
include 'login.html';
$conn = new PDO('mysql:host=localhost;dbname=loginreg', 'root', 'dev');
session_start();

    if(isset($_POST['fname'], $_POST['pwd'])){

  $fname = $_POST["fname"];
    $pwd = sha1($_POST["pwd"]);

      $result = $conn->prepare("SELECT * FROM `registered` WHERE `name` = ':name' AND `password` = ':password'");
      $result->bindParam(':name', $fname);
      $result->bindParam(':password', $pwd);
      $result->execute();

      $rows = $result->fetchColumn(0);

        if($rows > 0){
            echo("test");
        }
    }
?>
Liam Hardy
  • 246
  • 1
  • 7