I can't figure out why I'm getting out my password incorrect, my signup page is working properly.Everytime I try to login it shows login=incorrect password in my url.I tried to figure ot every possible issue online but nothing helped me.
<?php
session_start();
if(isset($_POST['submit'])){
include_once 'dbt.inc.php';
$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
//error handlers
if(empty($username) || empty($password)){
header("Location: ../main_login.php?login=empty");
exit();
}
else{
$sql = "SELECT * FROM users WHERE user_username = '$username'";
$run = mysqli_query($conn, $sql);
$result = mysqli_num_rows($run);
if ($result < 1) {
header("Location: ../main_login.php?login=error");
exit();
}
else{
if ($row = mysqli_fetch_assoc($run)) {
$hashedpasswordcheck = password_verify($password, $row['user_password']);
if ($hashedpasswordcheck == false) {
header("Location: ../main_login.php?login=incorrect password");
exit();
}
elseif($hashedpasswordcheck == true){
//log in user
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['user_first'] = $row['user_first'];
$_SESSION['user_last'] = $row['user_last'];
$_SESSION['user_email'] = $row['user_email'];
$_SESSION['user_username'] = $row['user_username'];
$_SESSION['user_password'] = $row['user_password'];
header("Location: ../main_login.php?login=success");
exit();
}
}
}
}
}
else{
header("Location: ../main_login.php?login=error");
exit();
}
?>
If you get incorrect false responses from password_verify and you know it should be correct, make sure you are enclosing the hash variable in single quotes (') and not double quotes (").
In PHP anything that starts with a $ inside double quotes as a variable.
Related
my password_verify function doesn't return anything and yet i think my code is OK,i tried removing the character escapes but still same results,please help
this is my code
<?php
if (isset($_POST['submit'])) {
include_once 'db.php';
$uname = stripcslashes($_POST['username']);
$pass = stripcslashes($_POST['userpassword']);
$uname = mysqli_real_escape_string($conn, $_POST['username']);
$pass = mysqli_real_escape_string($conn, $_POST['userpassword']);
//check if input characters are valid
if (!preg_match("/^[a-zA-Z0-9]*$/",$uname) || !preg_match("/^[a-zA- Z0-9]*$/",$pass)) {
header("Location: ../index.php?signin=invalidwords");
exit();
}else {
//validate username n pwd
$sql = "SELECT * FROM loginAcc WHERE position='$uname'";
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
$hashedpwd = $row['userpassword'];
$pw = password_verify($pass,$hashedpwd);
echo $pass."<br />";
echo $hashedpwd."<br />";
echo $pw;
}
}else{
header("Location: ../login.php");
exit();
}
password_verify() return bool value, and in case your $pw is false, then echo $pw will print nothing.
Try to test 2 cases with correct and incorrect password.
I need to echo or to show an alert box when the user entered a incorrect user name and password. I used the url for the mean time to show the status if the user entered the incorrect username or the incorrect password.
session_start();
if (isset($_POST['submit'])) {
include 'dbh.inc.php';
$uid = mysqli_real_escape_string ($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string ($conn, $_POST['pwd']);
//ERROR HANDLERS
//Check for empty fields
if (empty($uid) || empty($pwd)) {
header("Location: ../login.php?login=empty");
exit();
} else {
$sql = "SELECT * FROM users WHERE user_uid='$uid' OR user_email='$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1) {
header("Location: ../login.php?username_not_found");
exit();
} else {
if ($row = mysqli_fetch_assoc($result)) {
//De-hashing the password
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../login.php?password_not_match");
exit();
} elseif ($hashedPwdCheck == true) {
//Log in the user here
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../apptableremarks.php?login=success");
exit();
}
}
}
}
} else {
header("Location: ../index.php?login=error");
exit();
}
first change this line
header("Location: ../login.php?login=notFound");
then on the top the page in index.php file write this code
if(isset($_GET['login']))
{
echo "user name not found";
}
i think you should pass header variable like this :**
header("Location: ../login.php?user=not_found");
and then you can grab it using $_GET[] variable.
Like this: if(isset($_GET["user"] && $_GET["user"]==="not_fount")) echo "your alert message";
In this following code var_dump($row) returns NULL, while $sql, $conn and $result seem to be ok.
New to PHP, and cant figure out what is the problem. Thanks for help!
<?php
session_start();
include_once 'dbh.inc.php';
if (isset($_POST['submit'])) {
$uid = mysqli_real_escape_string($conn, $_POST['name']);
$pwd = mysqli_real_escape_string($conn, $_POST['password']);
if (empty($uid) || empty($pwd)) {
header("Location: ../index.php?login=empty");
exit();
} else {
//Check if username exists USING PREPARED STATEMENTS
$sql = "SELECT * FROM us WHERE user_username='$uid'";
$result = mysqli_query($conn, $sql);
if($result) {
var_dump($result);
$row = mysqli_fetch_row($result);
var_dump($row);
if (mysqli_num_rows($result) > 0) {
if ($pwd != $row['user_password']) {
header("Location: ../index.php?login=passerror");
exit();
} else {
//Set SESSION variables and log user in
$_SESSION['id'] = $row['id'];
$_SESSION['user_email'] = $row['user_email'];
$_SESSION['user_username'] = $row['user_username'];
header("Location: ../index.php");
exit();
}
}
}
}
} else {
header("Location: ../index.php?login=buttonerror");
exit();
}
I'm not super experienced either, but try this and let me know.
change
$row = mysqli_fetch_row($result);
to
$row = mysqli_fetch_assoc($result);
Nothing wrong with your code, it's works fine, please change the db and check it once
you are passing $conn in mysql_real_escape_string
$uid = mysqli_real_escape_string($_POST['name']);
$pwd = mysqli_real_escape_string($_POST['password']);
So im having problem with code in php, it drives me crazy..
The thing is, i am making login page, and i have index.php, login.php and dashboard.php.
Login form is in index.php, in login.php it checks if user is in database, and if it is redirect user to dashboard.php, but when i type right user and pass, it redirects me to index.php instead of dashboard.php??
login.php
<?php
session_start();
include($_SERVER['DOCUMENT_ROOT'] . "/new_cms/includes/db.php");
$username = $_POST['username'];
$password = $_POST['password'];
$btn = $_POST['submit'];
if(isset($btn)){
if(empty($username) || empty($password)){
echo "You must fill all fields";
}else{
$sql = "SELECT * FROM admins WHERE username = '$username' AND password = '$password'";
$query = mysqli_query($dbconn, $sql);
$rows = mysqli_num_rows($query);
if($rows > 0){
$_SESSION['usr'] = $rows['password'];
header("Location: dashboard.php");
}else{
echo "Invalid login";
}
}
}
?>
dashboad.php
<?php
session_start();
include($_SERVER["DOCUMENT_ROOT"] . "/new_cms/includes/db.php");
include($_SERVER["DOCUMENT_ROOT"] . "/new_cms/admin/login.php");
if(!isset($_SESSION['usr'])){
header("Location: index.php");
}else{
echo "Welcome";
}
?>
What am i doing wrong?
$rows is just a number, not an array, since you used mysqli_num_rows. Still you try to get $rows['password'].
instead, fetch the first row of the result and use this to assign to the session variable.
if(isset($btn)){
if(empty($username) || empty($password)){
echo "You must fill all fields";
}else{
$sql = "SELECT * FROM admins WHERE username = '$username' AND password = '$password'";
$query = mysqli_query($dbconn, $sql);
$rows = mysqli_num_rows($query);
if($rows > 0){
$user = mysqli_fetch_assoc($query);
$_SESSION['usr'] = $user['password'];
header("Location: dashboard.php");
}else{
echo "Invalid login";
}
}
}
So I am trying to create a simple login structure, and im not sure why it does not work, I appreciate there are many examples on here, and please do not mark this for duplication, I just really need some help I have tried and tried but I can not see what I have done wrong.
<?php
session_start();
include 'databaseconnection.php';
$email = strip_tags($_POST['email']);
$pwd = strip_tags($_POST['pwd']);
$sql = "SELECT * FROM user WHERE email='$email'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['pwd'];
$hash = password_verify($pwd, $hash_pwd);
if ($hash == 0) {
header("Location: error.php")
exit();
} else {
$sql = "SELECT * FROM user WHERE email='$uid' AND pwd ='$hash_pwd'";
$result = mysqli_query($conn, $sql);
if (!row = mysqli_fetch_assoc($result)); {
echo "your email address or password is incorrect!";
} else {
$_SESSION['id'] = $row['id'];
}
header("Location: profile.php")
If someone could simply suggest what changes I should make, I would really appreciate it.
There you go simple code
<?php
session_start();
include 'databaseconnection.php';
$email = $_POST['email'];
$pwd = $_POST['pwd'];
$sql = "SELECT * FROM user WHERE email = '$email'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['pwd']; // password from database
// if password is valid start session and redirect to profile.php
if (password_verify($pwd, $hash_pwd))
{
$_SESSION['id'] = $row['id'];
header('Location: profile.php');
}
else
{
header("Location: error.php")
exit();
}
?>
You have not closed the "} else {"... section.
First check request second filter input third use pdo
<?php
session_start();
include 'databaseconnection.php';
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$email = filter_input(INPUT_POST, 'email',FILTER_VALIDATE_EMAILL); //filter input
$pwd = filter_input(INPUT_POST, 'pwd',FILTER_SANITIZE_STRING,FILTER_FLAG_STRIP_HIGH); //filter input
$hashed = sha1($pwd);
$sql= $conn->prepare( "SELECT * FROM user WHERE email ? AND password = ?"); //use pdo here
$sql->execute(array($email, $pwd));
$row = $sql->fetch();
if($row['email'] !== $email || $row['password'] !== $hashed){
header("Location: error.php");
exit();
} else {
$_SESSION['id'] = $row['id'];
header("Location: profile.php");
}
}else {
echo 'error';
}
?>