My login system works fine so far. I can put the correct username and password and it will login but not vice versa. The only thing that does not work correctly is the status check. If the user has a status of '0' it should not login. So I tried to print out the status and nothing showed. Then I did the same with the password_hash and I get the same result (which is weird since password_verify() has no issue). The user entered password does print so this must be a mysqli_result thing. Any help?
include_once($_SERVER['DOCUMENT_ROOT'] . "/php_scripts/db_conx.php");
function CheckLogin($username, $password, $db_conx){
time_nanosleep(0, 100000000);
$userQuery = $db_conx->prepare("SELECT * FROM users WHERE username = ?");
$userQuery->bind_param('s', $username);
$userQuery->execute();
$userResult = $userQuery->get_result();
if($userResult->num_rows == 1){
$password_hash = $userResult->fetch_assoc()['password'];
$status = mysqli_fetch_assoc($userResult)['status']; // $status turns out null
echo($status); // Prints nothing
printf("%s\n", $userResult->fetch_assoc()['password']); // Prints nothing
print_r($userResult->fetch_assoc()); // Prints nothing
print($password); //Prints the password correctly
if(password_verify($password, $password_hash) && $status != '0'){
//password_verify() works like a charm
//Status check is the only thing that does not work
return true;
} else{
return false;
}
}
return false;
}
The user has a status of '0' so it should not login.
You're advancing the cursor 4 positions but probably only have 1 row. Use fetch only once and assign it.
$row = $userResult->fetch_assoc();
then you can assign your variables.
$password_hash = $row['password'];
$status = $row['status'];
and they will be accessible.
You also could just check the status in the query:
SELECT * FROM users WHERE username = ? and status <> 0
or
SELECT * FROM users WHERE username = ? and status = 1
Related
I am building a log in system and every other part works perfectly fine except for the portion that cross references the entered password with the password in the database. So when I checked to see if the passwords match I realized that the password from the database is coming back as null. May I ask what is happening?? (There is no issue with the "uidExists" method, it seems to just be in the "loginUser" method).
This is based of of this video https://www.youtube.com/watch?v=gCo6JqGMi30
I believe its around the hour and 40 minute mark he gets to the loginUser function.
function loginUser($conn,$username,$pwd){
$uidExists = uidExists($conn,$username,$username);
if($uidExists === false){
header("location: ../login.php?error=wrongslogin");
exit();
}
else{
echo $pwd;
if(is_null($uidExists["userPwd"])){
echo "Empty bruv";
}
else{
echo $uidExists["userPwd"];
}
}
function uidExists($conn,$username,$email){
$sql = "SELECT * FROM users WHERE userUid = ? OR userEmail = ?;";
$stmt = mysqli_stmt_init($conn);
if(!mysqli_stmt_prepare($stmt,$sql)){
header("location: ../signup.php?error=stmtfailed");
exit();
}
mysqli_stmt_bind_param($stmt,"ss",$username,$email);
mysqli_stmt_execute($stmt);
$resultData = mysqli_stmt_get_result($stmt);
if(mysqli_fetch_assoc($resultData)){
return $row;
}
else{
$result = false;
return $result;
}
mysqli_stmt_close($stmt);
}
This doesn't look right:
$uidExists = uidExists($conn,$username,$username);
Should this be:
$uidExists = uidExists($conn,$username,$userPwd);
I went through this login system with multi-users. It's working fine since it doesn't allow my status_id users '2' to login (inactive status), but when this happens I get the echo message twice on screen.
What am I doing wrong?
I want to validate both user/password, user_type (admin/user) and user_status (1-active, 2-inactive).
<?php
include 'database/connect.php';
if (isset($_POST["submit"])) {
$email = $_POST["txtemail"];
$pass = $_POST["txtpass"];
$query = mysqli_query($con, "SELECT user_email,user_password,user_type_id, status_id FROM user");
while ($row = mysqli_fetch_array($query)) {
$db_email = $row["user_email"];
$db_pass = $row["user_password"];
$db_type = $row["user_type_id"];
$db_user_status = $row['status_id'];
if ($email == $db_email && $pass == $db_pass && $db_user_status == '1') {
session_start();
$_SESSION["email"] = $db_email;
$_SESSION["type"] = $db_type;
if ($_SESSION["type"] == '1') {
header("Location:admin/home_admin.php");
} else {
header("Location:user/home_user.php");
}
} else {
echo "Ups. Algo de errado aconteceu.";
}
}
}
Looking at your code, if the conditions specified inside the loop fails then the else will execute.
So if your user table holds 3 records and all 3 records doesn't satisfy the condition specified it will execute else statement and 3 times.
This might be the reason.
Well it looks like you are looping through every user inside your user table, so the posted email and password can only be right for one user and for the rest of them your program will go through the else statement
I am makeing a sensitive page that no other user could access without being admin. But when i try to visit that page without being admin it works !
All users are not admin, So they should not be able to access it.
But the page loads fine for them (non admins).
PHP code:
function isAdmin(){
$admin = mysql_query("SELECT `admin` FROM `users` WHERE `username` = '".$_SESSION['username']."'");
if(!($admin)){
echo 'You are not authorised';
return false;
}else{
return true;
}
}
The code on sensitive page:
if(isAdmin()){
$name = $_POST['name'];
$description = $_POST['description'];
$image = $_POST['image'];
$amount = $_POST['amount'];
$sql = "INSERT INTO `store`(`name`, `description`, `price`, `image`) VALUES ('$name','$description','$amount','$image')";
mysql_query($sql);
echo 'Done!';
}
When i post data to this page , it loads and echoes Done! but it should not because:
Current User is not an admin
So, isAdmin() return false
then if(isAdmin()) receives false
So the if statement should not execute.
Yes, I have all these:
Mysql connection
PHP server with correct php.ini
Correct configuration my my users table
The column admin in my Mysql users table is int
You are basing your if condition on whether your query is syntactically correct or not. Since your query is valid, its always going to return something other than false.
use mysqli_num_rows instead.
if(msyql_num_rows($admin)<1)){
echo 'You are not authorised';
return false;
}else{
return true;
}
}
Take count instead of resource value. check below code
function isAdmin(){
$admin = mysql_query("SELECT `admin` FROM `users` WHERE `username` = '".$_SESSION['username']."'");
$count = mysql_num_rows($admin);
if(!($count)){
echo 'You are not authorised';
return false;
}else{
return true;
}
}
I want to reset user password using php. i got user's current and new password from html form . here's php script to reset password. But it always executes else part even if user enters correct password. how?any solution? i know there might be a simple error but i'm new at this and couldnt find any error.
$uid = $_SESSION['uid'];
$current_pass = $_POST['org_pass'];
$new_pass = $_POST['new_pass'];
if(isset($_POST['submit']))
{
$act_pass = $db_con->prepare("SELECT password FROM user WHERE u_id= ?");
$act_pass->bindParam(1,$uid);
$act_pass->execute();
$actual_pass = $act_pass->fetchColumn();
define('SALT', 'flyingrabbit');
$typed_pass = md5(SALT.$actual_pass);
if ($typed_pass == $current_pass)
{
$new_pass1 = md5(SALT . $new_pass);
$res = $db_con->prepare("UPDATE user SET password= ? WHERE u_id=?");
$res->bindParam(1,$new_pass1);
$res->bindParam(2,$uid);
$res->execute();
header("Location: profile.php");
exit;
}
else
{
echo "<script type=\"text/javascript\">window.alert(\"You entered wrong password.\");window.location.href = 'profile.php';</script>";
}
}
This looks wrong:
$actual_pass = $act_pass->fetchColumn();
// ...
$typed_pass = md5(SALT.$actual_pass);
if ($typed_pass == $current_pass)
You are hashing the information you got from the database which - I assume - is already hashed.
You probably want:
$actual_pass = $act_pass->fetchColumn();
// ...
$typed_pass = md5(SALT.$current_pass);
if ($typed_pass == $actual_pass)
Note that md5 is not recommended to hash passwords.
You should compare hashed $current_pass and **$actual_pas**s.
Replace
$typed_pass = md5(SALT.$actual_pass); with $typed_pass = md5(SALT.$current_pass);
$typed_pass == $current_pass with $typed_pass == $actual_pass
It goes to the else statement because you compare $typed_pass == $current_pass but on the previous line you do this $typed_pass = md5(SALT.$actual_pass) you compare a hashed, salted password to a plain text password
When a user registers, the script sends an email to verify his account. Clicking on the link, the script gets the token
$token = mysql_real_escape_string($_GET["token"]);
and what I thought to do is
if($token != '') {
mysql_query("UPDATE members SET verified = '' WHERE verified = '$token'");
}
or
if($token != '') {
$result = mysql_query("UPDATE members SET verified = '' WHERE verified = '$token'");
if($result) { }
else { }
}
What is my purpose is to echo a success or failed message on the user. When it will be success then the verified will be empty.
What is the appropriate way of doing this with my examples above?
Should I check if there is the token in the DB before updating it?
Thank you.
Your current method updates a record if it exists but does not take into account that which does not exist or match. You should run something similar to:
if($token != '') {
$result = mysql_query("SELECT COUNT(*) FROM members WHERE verified = '$token'");
while($row = mysql_fetch_row($result)) {
$records = $row[0];
}
if($records == 0) { echo 'no results'; }
elseif($records ==1) { echo 'you matched'; then update the record. }
}
edit
changed BACK to the while loop, wasn't thinking of the count returning 0 rows