Php trying to implement login functionality

Question

Im trying to create a simple login page, this is what I have so far in my Login.php Link for the codepaste if it is hard to understand HERE

<!doctype html>
<html>
    <head>
    <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
        <meta name="description" content="$1">
        <meta name="viewport" content="width=device-width, initial-scale=1">

        <link rel="stylesheet" type="text/css" href="style.css">

        <title>test</title>

        <?php
        include_once 'dbConfig.php';
        ini_set('display_errors', 1);
        ini_set('display_startup_errors', 1);
        error_reporting(E_ALL);
        ?>

        <h1 class="h1">Login</h1>
    </head>

    <?php
        if(isset($_POST['login'])){

            $stmt = $mysqli->prepare("SELECT id FROM users WHERE username=? AND password=?");
            $stmt-> bind_param("ss", $username, $password);

            $username = $_POST["username"];
            $password = $_POST["password"];

            $stmt->execute();
            if($stmt->execute == true){
                header("Location: http://localhost/test2/Home.php");
            }
            
        }
    ?>

       <body>

       <form method="post" id="registerForm"> 
        <label id="first"> Username</label><br/>
        <input type="text" required name="username"><br/>
        <br/>
        <label id="first">Password</label><br/>
        <input type="password" required name="password"><br/>
        <br/>
        <input type="submit" value="Sign in" name="login"/>

       </body>
</html>

I am aware that this code has security flaws and Im going to improve it once the basic functionality will be working. Problem: When I click login button, nothing happens, im not redirected even if I don't check if the login was success.

Typo over here `$POST['login']` IT would be `$_POST['login']` plus not able to see your connection and include any file for connection — Saty, May 24 '16 at 09:34
@Saty Wow this was an actual problem, thank you, I feel bad now for posting here just because of a typo.. But again, how do I check if supplied information was correct? Php was complaining about `if($stmt->execute == true)` which was my way of checking if it was a success. Maybe there is a better way to do this? **EDIT** my connection file `dbConfig.php` is included on line 14. It has the connection string and this is where `$mysqli` variable comes from. — Viktor, May 24 '16 at 09:37
use `$stmt->num_rows` to check weather your query return result ot not — Saty, May 24 '16 at 09:41

VolkerK · Accepted Answer · 2016-05-24T10:56:02.870

a) You need some kind of error handling, prepare() may fail, bind_param() may fail, execute() may fail and so on. Either check the return value of the function calls (every,single,one) or instruct mysqli to report errors (i.e. mysql's errno != 0) as exceptions.
b) if(execute()===true) isn't sufficient. The statement can execute just fine yet return no records (because nothing matched the where clause e.g.); that's not an error, so execute() would still return something truthy.
c) Storing the plain user password in the database is a no-go. Use a hash function, e.g. password_hash(). That would imply not to have the password in the WHERE clause but selecting that value and then compare it "within" your php script.

// assuming report mode=exception; so no further error handling here....
// the field `password` contains the result of password_hash()
$stmt = $mysqli->prepare("SELECT id,`password` FROM users WHERE username=?");
$username = $_POST["username"];
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($result_id, $result_passwort);
$stmt->fetch(); // will return FALSE if there is no matching record, i.e. no such user
// but we don't care because $result_passwort will be NULL in that case and password_verify() will fail reliably
// you wouldn't want to make a distinction between "no such user" and "wrong password" in the feedback for the user anyway....
if (!password_verify($_POST["password"], $result_passwort))
{
    // login failed....
    // redirect to "you are not logged in" page
}
else {
    // credentials ok
    // mark user as logged in, e.g. in $_SESSION
    // redirect to content-page
    // also please read up on how to handle login attempts, e.g. when and how to use http://docs.php.net/session_regenerate_id
    // default: _every_ login _attempt_ counts
}

I think that `if (!password_verify($_POST["password"], $result_passwort)` will be enough — Your Common Sense, May 24 '16 at 10:14
@VolkerK Thank you, this code seems to be working except for one part, it allows to pass even without correct credentials. One more question, how come that in the query `id` doesn't have `' '` as `'password'` has? Is it because `mysql` generates id field on its own? — Viktor, May 24 '16 at 10:15
@Viktor, http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks — Your Common Sense, May 24 '16 at 10:19
@Your Common Sense : you're right; I learned something new: calling fetch() when there's no more record sets the outparam to NULL. I was worried about totally off scoping and $result_passwort (because of senseless copy&pastinging) already having a value.... let me fix that ;-) — VolkerK, May 24 '16 at 10:23

Php trying to implement login functionality

1 Answers1