-1

I'm doing a school project, and we're trying to enable logging in for users. Registration works fine, the process hashes the password using password_hash(), and it all goes down to the database. However we're having trouble logging in, and with PHP being kind of hard to debug, have no idea what's wrong with our code.

<?php

// Connect to database
require "connect.php";

$user = $_POST['loginusername'];
$pass = $_POST['loginpassword'];
$query = "SELECT password FROM user WHERE username = '$user'";
$result = mysqli_query($conn, $query);

if(password_verify($pass, $result)) {
    // Redirect to Feed-page
    header("Location: feed.php"); 
} else {
    echo "Invalid password";
    echo $query;
    echo $conn->error;
    echo $result;
    echo $pass;
    die();
}

$conn->close();
?>

What we're trying to do here:

  1. Store the input information into variables
  2. Store the query string into another variable
  3. Store the queried result (the hashed password from the database) into yet another variable
  4. Verify if the entered password matches the one fetched from the db, and redirect

If the verification fails, it should echo stuff into the browser, which doesn't seem to work for us either for some reason...

We're total newbies to PHP, so I'd appreciate if someone could take a look and solve the problem that's had us bash our heads against the wall for a few days now.

Jesse Kämäräinen
  • 57
  • 6
  • 2
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 29 '18 at 12:48
  • Once you've resolved the injection vulnerability, try `var_dump($result);` just before `if(password_verify(...))` and see if it's what you expect. Chances are, it's not. – Niet the Dark Absol Mar 29 '18 at 12:49
  • 1
    "with PHP being kind of hard to debug" — `echo $result` isn't that hard to apply. – Quentin Mar 29 '18 at 12:49
  • Check sessions in PHP. You can store login information with it. – Karlo Kokkak Mar 29 '18 at 12:51
  • you need to fetch the results. For example: `$result['password'];` – Rotimi Mar 29 '18 at 12:51
  • 1
    [error_reporting(E_ALL);](http://php.net/manual/en/function.error-reporting.php) will report all errors to you. Make this the first line of your script. – mcv Mar 29 '18 at 12:51
  • you have too many unclosed questions, IMHO. – Funk Forty Niner Mar 29 '18 at 12:58
  • echo var_dump is just displaying some weird data I have no clue about: object(mysqli_result)#2 (5) { ["current_field"]=> int(0) ["field_count"]=> int(1) ["lengths"]=> NULL ["num_rows"]=> int(1) ["type"]=> int(0) } – Jesse Kämäräinen Mar 29 '18 at 13:49

2 Answers2

-1

You need to use mysqli_query before output the result

<?php

    // Connect to database
    require "connect.php";

    $user = $_POST['loginusername'];
    $pass = $_POST['loginpassword'];
    $query = "SELECT password FROM user WHERE username = '$user'";
    $result = mysqli_query($conn, $query);
    if(mysqli_num_rows($result) > 0) {
        $res= mysqli_fetch_array($result);
        if(password_verify($pass, $res['password'])) {
            // Redirect to Feed-page
            header("Location: feed.php"); 
        } else {
            echo "Invalid password";
            echo $query;
            echo $conn->error;
            echo $result;
            echo $pass;
            die();
        }
    } else {
        echo echo "User not exist";
    }

    $conn->close();
?>
Paul Spiegel
  • 30,925
  • 5
  • 44
  • 53
Devendra Choudhary
  • 32
  • 7
-2

I think usefull this code

Your Login will be done.

<?php
   include("config.php");
   session_start();

   if($_SERVER["REQUEST_METHOD"] == "POST") {
      // username and password sent from form 

      $myusername = mysqli_real_escape_string($db,$_POST['loginusername']);
      $mypassword = mysqli_real_escape_string($db,$_POST['loginpassword']); 

      $sql = "SELECT id FROM admin WHERE username = '$myusername' and password = '$mypassword'";
      $result = mysqli_query($db,$sql);
      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
      $active = $row['active'];

      $count = mysqli_num_rows($result);

      // If result matched $myusername and $mypassword, table row must be 1 row

      if($count == 1) {
         session_register("myusername");
         $_SESSION['login_user'] = $myusername;

         header("location: welcome.php");
      }else {
         $error = "Your Login Name or Password is invalid";
      }
   }
?>

in this 'select' query 'password' name use to your database field.

Manthan Kanpariya
  • 104
  • 1
  • 6