0

I am writing a code for my school, so users can login and get to another website. But always, when i type the username and password in the text field, the password is wrong. I think that the problem could be, that the username cant refer to the password, so the password is always wrong. We hava a database on another server. An Answer would be huge :) Here is some code:

// Initialize the session
session_start();
 
// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
    header("location: welcome.php");
    exit;
}
 
// Include config file
require_once "configLI.php";
 
// Define variables and initialize with empty values
$username = $password = "";
$username_err = $password_err = "";
 
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
 
    //Usernamefeld auf Inhalt prüfen
    if(empty(trim($_POST["username"]))){
        $username_err = "Please enter username.";
    } else{
        $username = trim($_POST["username"]);
    }
    
    //Passwortfeld auf Inhalt prüfen
    if(empty(trim($_POST["password"]))){
        $password_err = "Please enter your password.";
    } else{
        $password = trim($_POST["password"]);
    }
    
    // Validate credentials
    if(empty($username_err) && empty($password_err)){
        // Prepare a select statement
        $sql = "SELECT username, password, SID FROM Schueler WHERE username = ?";
        
        if($stmt = mysqli_prepare($link, $sql)){
            // Bind variables to the prepared statement as parameters
            mysqli_stmt_bind_param($param_username, $stmt, "s");
            
            // Set parameters
            $param_username = $username;
            
            // Attempt to execute the prepared statement
            if(mysqli_stmt_execute($stmt)){
                // Store result
                mysqli_stmt_store_result($stmt);
                
                // Check if username exists, if yes then verify password
                if(mysqli_stmt_num_rows($stmt) == 1){                    
                    // Bind result variables
                    mysqli_stmt_bind_result($stmt, $username, $hashed_password, $id);
                    if(mysqli_stmt_fetch($stmt)){
                        if(password_verify($password, $hashed_password)){
                            // Password is correct, so start a new session
                            session_start();
                            
                            // Store data in session variables
                            $_SESSION["loggedin"] = true;
                            $_SESSION["id"] = $id;
                            $_SESSION["username"] = $username;                            
                            
                            // Redirect user to welcome page
                            header("location: welcome.php");
                        } else{
                            // Display an error message if password is not valid
                            $password_err = "The password you entered was not valid.";
                        }
                    }
                } else{
                    // Display an error message if username doesn't exist
                    $username_err = "No account found with that username.";
                }
            } else{
                echo "Oops! Something went wrong. Please try again later.";
            }

            // Close statement
            mysqli_stmt_close($stmt);
        }
    }
    
    // Close connection
    mysqli_close($link);
}
?>```
Leandertaler03
  • 1
  • So, are you always getting the `The password you entered was not valid.` message? – El_Vanja Jan 28 '21 at 13:01
  • Here you are supplying the parameters in the wrong order: `mysqli_stmt_bind_param($param_username, $stmt, "s");`, check the [manual](https://www.php.net/manual/en/mysqli-stmt.bind-param.php). I'd advise you to turn on [error reporting](https://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display). – El_Vanja Jan 28 '21 at 13:03
  • Yes, that's true i send you a link where you can see the login: http://dbg-dalton.de/LOGIN/login.php you can type in username and password which both is h.mueller – Leandertaler03 Jan 28 '21 at 13:04
  • we changed to code but now we have another error: `Fatal error: Only variables can be passed by reference in /customers/1/3/b/dbg-dalton.de/httpd.www/LOGIN/login.php on line 42` //// this is the line where we changed the code – Leandertaler03 Jan 28 '21 at 13:09
  • I assume that's the same line. You can use the `$username` variable directly in the function, no need to create another variable (`$param_username`) just for the param. – El_Vanja Jan 28 '21 at 13:14
  • so we just need to replace the `$param_username` with `$username`. Because that doesn't change anything unfortunatly. Or did we do anything wrong? – Leandertaler03 Jan 28 '21 at 13:18
  • You need to do some basic debugging. Dump some values, see if they contain what you expect. I'd start with dumping both `$password` and `$hashed_password` right before you use `password_verify`. See if the form value is transferred correctly and if the hash is correctly read from the database. – El_Vanja Jan 28 '21 at 13:24
  • Hi, we are quite lost. We tried much, but nothing worked. We dont have the skills to find the error. I think you cant help us, because we are not able to fully understand you, which is our problem. We dont want to waste your time so thank you for your help @El_Vanja :) – Leandertaler03 Jan 28 '21 at 13:42
  • Well, good luck with your project. As a last thing, I'd recommend reading a [debugging guide](https://stackify.com/php-debugging-guide/). Learning how to debug code is a priceless piece of knowledge that should be taught in all schools and courses, but is often completely overlooked. – El_Vanja Jan 28 '21 at 13:44
  • Hello again! I don't know if you're still here, but we actually got to manage to login without any errors :) After a person log in we want that he gets refered "personal" website. We were able to send the user to a website. But every user gets to this website. Do you know how to refer to a personal website. This is the code where we the location is set up: `header('Location: name.php');` @El_Vanja – Leandertaler03 Jan 28 '21 at 14:27
  • If you want to personalize a page, I'd suggest passing a parameter (like user id) to the page and then generate content based on that. – El_Vanja Jan 28 '21 at 14:29
  • Thanks for you quick response. Can you tell us what parameter we need to insert instead of the `name.php`, because we tried to replace it with `header('Location: $_SESSION['name'].php');` – Leandertaler03 Jan 28 '21 at 14:33
  • I can't tell you that, because I don't know your project structure. But that piece of code is invalid, those outer quotes would need to be double. – El_Vanja Jan 28 '21 at 14:36
  • Ok, no Problem. Then we try to figure it out on ourselves :) – Leandertaler03 Jan 28 '21 at 14:39

0 Answers0