PHP login form not functioning as it should be, outputs error

Question

So my goal is to create a login page that redirects to another page. However when I try to login, it out puts "invalid username or password" which tells me that there is something wrong in the php code preceding the else statement. However after spending hours trying to figure it out I couldn't. Unfortunately for me coding is not my strong suit. Any help would be appreciated.

 <?php
 // ensure page is not cached
 require_once "nocache.php";

 $errorMessage = '';

 // check that the form has been submitted

 if (isset($_POST['submit'])) {
     // check that username and password were entered
     if (empty($_POST['username']) || empty($_POST['pword'])) {
         $errorMessage = "Both username and password are required";
     } else {
         // connect to the database
         require_once 'conn.php';

         // parse username and password for special characters
         $username = $dbConn->escape_string($_POST['username']);
         $password = $dbConn->escape_string($_POST['pword']);

         // hash the password so it can be compared with the db value
         $hashedPassword = hash('sha256', $password);

         // query the db
         $sql = "SELECT id FROM leagueadmin WHERE email='$username' and password = '$hashedPassword'";
         $rs = $dbConn->query($sql);

         // check number of rows in record set. What does this mean in this context?
         if ($rs->num_rows) {
             // start a new session for the user
             session_start();

             // Store the user details in session variables
             $user = $rs->fetch_assoc();
             $_SESSION['who'] = $user['id'];

             // Redirect the user to the secure page
             header('Location: scoreentry.php');
         } else {
             $errorMessage = "Invalid Username or Password";
         }
     }
 }
 ?>

 <!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <title>Login Form</title>
    <style>
      input[type="text"], input[type="password"] {border: 1px solid black;}
    </style>
    <link rel="stylesheet" href="../css/login.css">
  </head>

  <body>
    <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
       <p style="color:red;"><?php echo $errorMessage; ?></p>
       <div class="input-box">
         <label for="username">Username:</label>
         <input type="text" name="username" maxlength="50" id="username">
       </div>
       <div class="input-box">
         <label for="pword">Password:</label>
         <input type="password" name="pword" maxlength="100" id="pword">
       </div>
       <div class="input-box">
         <input type="submit" value="Login" name="submit">
       </div>
    </form>
  </body>
</html>

A well formatted code helps you spot eventual issues easier. — Zoli Szabó, May 21 '21 at 12:32
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, May 21 '21 at 12:38
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, May 21 '21 at 12:38
It looks like you don't have a matching record in the database — Dharman, May 21 '21 at 12:39
If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo & https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection — Dharman, May 21 '21 at 12:39
the password is stored in the database in sha256, the theory is that the user enters the unhashed password and then it is hashed and compared to the one in the database — supersentry04, May 21 '21 at 12:44

score 0 · Answer 1 · answered May 21 '21 at 12:39

0

Since you are hashing the password, there is no need to escape it before. If your password has characters that are escaped, that might be a reason why it does not work. So this line:

$password = $dbConn->escape_string($_POST['pword'])

should simply be:

$password = $_POST['pword'];

Next, SHA should not be used for passwords. It is not meant for that. Details: https://stackoverflow.com/a/20659101/3219919.

Instead, PHP has the builtin password_hash and password_verify functions you can use.

answered May 21 '21 at 12:39

Zoli Szabó

4,366
1
13
19

This should be a comment. How does it solve the problem? – Dharman May 21 '21 at 12:40
IMHO it clearly underlines a possible cause of the issue the OP is having. Then the second part hints the "standard" way to do password validation in PHP. – Zoli Szabó May 21 '21 at 12:43
@Dharman Actually this might be the problem, because the string is being escaped before hashing, so if that's not done in the same order when saving the password, the lookup will fail. – IMSoP May 21 '21 at 12:44
thanks for the response, i just tried your solution. Unfortunately it hasn't solved the issue, and now shows an additional problem "Notice: Undefined variable: username in login.php on line 25" – supersentry04 May 21 '21 at 12:46
@supersentry04 It seems you might have accidentally deleted the `$username = ...` line...? – Zoli Szabó May 21 '21 at 12:48
yea lol that was it, but the other problem still persists. – supersentry04 May 21 '21 at 12:49
1

Also, as @IMSoP correctly pointed out, how did you save the hash of the correct password in the DB? Have you escaped it before hashing or not (maybe you added it manually)? – Zoli Szabó May 21 '21 at 12:49
the database was already provided, so the data inside of it wasn't added by me. As to whether it was escaped or not before, i am unsure but it most likely was. – supersentry04 May 21 '21 at 12:52
1

A good way to debug this would be to run the select only by username and then compare the two hashes: the one from the DB and the one you are preparing from the POST data... – Zoli Szabó May 21 '21 at 12:54
yep. i removed the username part and it worked. Ill try to figure out why the username wasnt working. Thank you so much i appreciate it! – supersentry04 May 21 '21 at 12:59

PHP login form not functioning as it should be, outputs error

1 Answers1