I'm still fairly new to the prepared statements because it was brought to my attention by another user. I've been able to create a registration function that properly prepares the statement, binds it and then executes it. It goes into the database just fine. However, I'm not sure I understand how the login part would work. I'm trying to fetch a row and the result I keep getting is "1" but not the row + data inside the row. Any advice?
Database:
login.php (where the form is located)
<form id="loginform" class="form-horizontal" role="form" action="" method="post">
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
<input id="login-username" type="text" class="form-control" name="Lusername" placeholder="Username or Email">
</div>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
<input id="login-password" type="password" class="form-control" name="Lpassword" placeholder="Password">
</div>
<div class="input-group">
<div class="checkbox">
<label>
<input id="login-remember" type="checkbox" name="remember" value="1"> Remember me
</label>
</div>
</div>
<div style="margin-top:10px" class="form-group">
<!-- Button -->
<div class="col-sm-12 controls">
<button id="btn-login" type="submit" class="btn btn-success"><i class="icon-hand-right"></i>Submit</button>
</div>
</div>
</form>
script:
<script type="text/javascript">
$(function() {
$("#loginform").bind('submit',function() {
var username = $('#login-username').val();
var password = $('#login-password').val();
$.post('scripts/loginFunction.php',{username:username, password:password}, function(data){
$('#signupsuccess').show();
}).fail(function(){{
$('#signupalert').show();
}});
return false;
});
});
</script>
loginFunction.php
<?php
require 'connection.php';
$username = $_POST['username'];
$password = $_POST['password'];
if($conn->connect_error){
die("Connection failed: " . $conn->connect_error);
}
$stmt = $conn->prepare("SELECT `Username`, `Password` FROM `users` WHERE `Username` = ?");
$stmt->bind_param('s',$username);
$stmt->execute();
$stmt->store_result();
echo $stmt->num_rows;
/*if($stmt->num_rows == 1){
$result = $stmt->get_result();
$row = $result->fetch_assoc();
print_r($row);
// here is where you could verify the password
if(password_verify($password, $row['Password'])) {
// good password
echo 'all good!';
}
} else {
//echo "failed to find row";
}*/
?>
loginFunction.php that does work and queries the database properly
require 'connection.php';
$username = $_POST['username'];
$password = $_POST['password'];
if($conn->connect_error){
die("Connection failed: " . $conn->connect_error);
}
$query = "SELECT * FROM users WHERE username='$username'";
$result = $conn->query($query);
if($result->num_rows == 1){
$row = mysqli_fetch_array($result);
if(password_verify($password, $row['Password'])){
echo "Login successful!";
}
else{
echo "Login failed.";
}
}
EDIT: Here is the code you should use. Note how $stmt is carried throughout:
$stmt = $conn->prepare("SELECT `Username`, `Password` FROM `users` WHERE `Username` = ?");
$stmt->bind_param('s',$username);
$stmt->execute();
$stmt->store_result();
echo $stmt->num_rows;
/*if($stmt->num_rows == 1){
$result = $stmt->get_result();
$row = $result->fetch_assoc();
print_r($row);
// here is where you could verify the password
if(password_verify($password, $row['Password'])) {
// good password
echo 'all good!';
}
} else {
//echo "failed to find row";
}*/
I have resolved the issue. When I went to fetch, I needed to store it in a separate variable than the one that the user is storing their entered password into. This can be reflected in the code below:
<?php
require 'connection.php';
$username = $_POST['username'];
$password = $_POST['password'];
$dbusername = ""; //These two being the new variables
$dbpassword = "";
if($conn->connect_error){
die("Connection failed: " . $conn->connect_error);
}
$stmt = $conn->prepare("SELECT Username, Password FROM users WHERE Username = ?;");
$stmt->bind_param('s', $username);
$stmt->execute();
if($stmt->execute() == true){
$stmt->bind_result($dbusername, $dbpassword);
$stmt->fetch();
if(password_verify($password, $dbpassword)) {
echo 'successful';
}
else{
echo 'failed';
}
}
else{
echo 'failed';
}
?>
Related
Statement
In login_check.php, it worked but I would like to change it into the prepared statement.
login.php
<body>
<div class="container">
<h1>Please Log In to the System</h1>
<form method="post" action="login_check.php">
<input type="text" name="username" placeholder="Username" required>
<input type="password" name="password" placeholder="Password" autocomplete="off" required>
<button type="submit" name="login" value="Log In">Log In</button>
</form>
</div>
</body>
login_check.php
<body>
<?php
//Establish connection
include 'connection.php';
//-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$sql = "SELECT * FROM admins WHERE admin_username = '".mysqli_real_escape_string($conn, $_POST['username'])."' and admin_password = '".mysqli_real_escape_string($conn, $_POST['password'])."'";
$query = mysqli_query($conn, $sql);
$result = mysqli_fetch_array($query);
//-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
if(!$result) //Username or Password is invalid!
{
?>
<div class="container">
<h1>Username or Password is invalid!</h1>
<form method="post" action="login.php">
<button type="submit">Back</button>
</form>
</div>
<?php
}
else //Username and Password are valid!
{
$_SESSION["admin_id"] = $result["admin_id"];
$_SESSION["admin_username"] = $result["admin_username"];
session_write_close();
header("location:front.php");
}
$conn->close();
?>
</body>
To change to prepared statements, you just need to
replace variables in your query with a ?
prepare the query
bind variables to the parameters
execute the statement
For your code that would look like this:
$sql = "SELECT * FROM admins WHERE admin_username = ? and admin_password = ?";
$stmt = $conn->prepare($sql) or die($conn->error);
$stmt->bind_value("ss", $_POST['username'], $_POST['password']);
$stmt->execute() or die($stmt->error);
$result = $stmt->get_result();
Note that you should not be storing passwords in plain text in your database. Please look into PHPs password_hash and password_verify functions to properly handle your passwords. You would use password_hash when storing the password in the database, and then your code for verifying the user would look something like:
$sql = "SELECT * FROM admins WHERE admin_username = ?";
$stmt = $conn->prepare($sql) or die($conn->error);
$stmt->bind_value("s", $_POST['username']);
$stmt->execute() or die($stmt->error);
$result = $stmt->get_result() or die($stmt->error);
$row = $result->fetch_array();
if (!$row|| !password_verify($_POST['password'], $row['admin_password']) {
// invalid username or password
login_check.php
<?php
//Establish connection
include 'connection.php';
$sql = "SELECT * FROM admins WHERE admin_username = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("s",$_POST['username']);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_array())
{
$hash = password_hash($_POST['password'],PASSWORD_DEFAULT);
mysqli_query($conn,"UPDATE admins SET admin_password = '$hash' WHERE admin_id='{$row['admin_id']}");
}
if(!$row || !password_verify($_POST['password'],$row['admin_password']))
{
?>
<div class="container">
<h1>Username or Password is invalid!</h1>
<form method="post" action="login.php">
<button style="font-size: 30px" type="submit" class="btn btn-dark"><b>Back</b> <i class="fas fa-arrow-alt-circle-left"></i></button>
</form>
</div>
<?php
}
else
{
$_SESSION["admin_id"] = $result["admin_id"];
$_SESSION["admin_username"] = $result["admin_username"];
session_write_close();
header("location:front.php");
}
$stmt->close();
$conn->close();
?>
</body>
There is no syntax error shown up but I think there are some mistakes in
=> mysqli_query($conn,"UPDATE admins SET admin_password = '$hash' WHERE admin_id ='{$row['admin_id']}");
=> if(!$row || !password_verify($_POST['password'],$row['admin_password']))
Form this code, the result is it always returns as username or password is invalid, even I put the valid ID and Password.
I have a login form but even if i type a correct email and password i still get invalid username/password. I'm looking at my code and tried debugging it but i can't seem to find the problem.
Form
<form method="post" action = 'plogin.php'>
<h2 class="sr-only">Login Form</h2>
<div class="illustration"><i class="icon ion-ios-navigate"></i></div>
<div class="form-group"><input class="form-control" type="email" name="email" placeholder="Е-маил"></div>
<div class="form-group"><input class="form-control" type="password" name="password" placeholder="Лозинка"></div>
<div class="form-group"><button class="btn btn-primary btn-block" type="submit">Најава</button></div>Ја заборавивте лозинката? Кликнете овде.</form>
Form Validation
if(!empty($_POST)) {
include('includes/general.php');
if(!$connection){
die("Failed to connect to database ".mysqli_connect_error());
}
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$hashedPassword = hash('SHA256', $password);
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";
$result = mysqli_query($connection, $query) or die (mysqli_error($connection));
if(mysqli_num_rows($result) > 0) {
$_SESSION = mysqli_fetch_array($result);
header('location: user.php');
} else {
echo "<script>alert('invalid username/password');
window.location.href= 'login.php';</script>";
}
} else {
header('location: index.php');
You hash the password, but don't use the hash...
if(!empty($_POST)) {
include('includes/general.php');
if(!$connection){
die("Failed to connect to database ".mysqli_connect_error());
}
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$hashedPassword = hash('SHA256', $password);
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$hashedPassword'";
$result = mysqli_query($connection, $query) or die (mysqli_error($connection));
if(mysqli_num_rows($result) > 0) {
$_SESSION = mysqli_fetch_array($result);
header('location: user.php');
} else {
echo "<script>alert('invalid username/password');
window.location.href= 'login.php';</script>";
}
} else {
header('location: index.php');
Maybe try the code above
I'm reworking a login form to PDO based with OOP in mind. And I am running into the error given above. So I have two files one is an login.php and one is an included file called functions.inc.php
The code for the login.php is as follows.
<?php
include_once("includes/functions.inc.php");
// get username and password from $_POST
if(!empty($_POST)){
$username = $_POST['email'];
$password = $_POST['password'];
// check if a user can login (function)
if(canilogin($username, $password)){
session_start();
$_SESSION['username'] = $username;
$_SESSION['loggedin'] = true;
header('Location: index.php');
}
else{
$error = true;
// if no -> $error tonen
}
}
?><!DOCTYPE html>
<html lang="en">
<body class="login">
<div class="grid container_login">
<div class="login_grid">
<form class="form_login" action="" method="post">
<?php if( isset($error) ): ?>
<div class="form__error">
<p>
Sorry, we can't log you in with that email address and password. Can you try again?
</p>
</div>
<?php endif;?>
<div>
<label for="email">EMAIL</label><br/>
<input type="text" id="email" name="email" placeholder="Lucasdebelder#snapshot.be" required>
</div>
<div>
<label for="password">PASSWORD</label><br/>
<input type="password" id="password" name="password" placeholder="Atleast 8 characters" required>
</div>
<div>
<input type="submit" value="LOG IN" class="btn_login">
</div>
<p class="center_align">Or</p>
<br/>
<a class="center_align" href="register.php">Register here.</a>
</form>
</div>
</body>
</html>
And the functions.inc.php where the error is happening, to be precise it happens at if($result->num_rows != 1){.
Also the first few lines were the once that worked before but that is done with real escape string to secure against SQL inject but it's kinda a wacky way to do and I decided to try to rework it to PDO.
<?php
function canilogin( $username, $password){
/* THIS IS THE OLD WAY THAT WORKED/WORKS
$conn = new mysqli("localhost", "root", "root", "snapshot");
$query = "select * FROM users WHERE email='".$conn->real_escape_string($username). "'";
$result = $conn->query($query);
*/
$conn = new PDO('mysql:host=localhost; dbname=snapshot', 'root', 'root');
//$query = "select * FROM users WHERE email='".$conn->real_escape_string($username). "'";
$statement = $conn->prepare("select * from users where email = :username");
$statement->bindValue(':username', $username);
$statement->execute();
$result = $statement->execute();
if($result->num_rows != 1){
return false;
}
$user = $result->fetch_assoc();
if(password_verify($password, $user['password'])){
return true;
}
else{
return false;
}
}
?>
The reason you are having the issue is that $result is not correct. Once $statement->execute(); is executed it becomes a PDOStatement object.
First of all remove $result = $statement->execute(); and try
if($statement->rowCount() != 1){
return false;
}
$user = $statement->fetch();
if(password_verify($password, $user['password'])){
return true;
}
else{
return false;
}
I wanted to make a multi user login. At least 2 type of users that is admin and a user. When I tried to enter the username and password as an admin, got the error displayed as 'Username and Password Invalid' instead. Same for user.
PHP
include_once 'config.php';
$error="";
if(isset($_POST['login'])){
if(empty($_POST['username']) || empty($_POST['password'])){
$error = '<div class="alert alert-danger">Username or Password is Invalid</div>';
} else {
$username= $_POST['username'];
$password= $_POST['password'];
$stmt = $con->prepare("SELECT * FROM users WHERE username=? AND password=? ");
$stmt->bind_param("ss",$username,$password);
$stmt->execute();
$row = $stmt->fetch();
$user = $row['username'];
$pass = $row['password'];
$id = $row['id'];
$type = $row['typeuser'];
if ($username==$user && $pass==$password){
session_start();
$_SESSION['username']=$user;
$_SESSION['passsword']=$pass;
$_SESSION['id']=$id;
$_SESSION['typeuser']=$type;
if($type=='admin'){
header("Location: dashboard.php");
} else if ($type=='user'){
header("Location: user_dashboard.php");
}
} else
{
$error = "Username or Password is Invalid";
}
}
mysqli_close($con); // Closing connection
}
?>
FORM
<form role="form" method="post" action="" >
<div class="page-content container">
<div class="row">
<div class="col-md-4 col-md-offset-4">
<div class="login-wrapper">
<div class="box">
<div class="content-wrap">
<h6>Sign In</h6>
<input class="form-control" type="text" placeholder="Username" id="username" name="username"><br/>
<input class="form-control" type="password" placeholder="Password" id="password" name="password"><br/>
<input class="btn btn-primary btn-lg" type="submit" value="Login" name="login"><br><br>
<strong class = "text-danger"><?php echo $error; ?></strong>
</div>
</div>
<div class="already">
<p>Don't have an account yet?</p>
Sign Up
</div>
</div>
</div>
</div>
</div>
</form>
I don't know why this error is displayed since I did the code right.
mysqli execute and fetch is not same as pdo when you use
execute in mysqli you need to use fetch with bind_result. Try follwoing code/ change your
$stmt = $con->prepare("SELECT * FROM users WHERE username=? AND password=? ");
$stmt->bind_param("ss",$username,$password);
$stmt->execute();
$row = $stmt->fetch();
$user = $row['username'];
$pass = $row['password'];
$id = $row['id'];
$type = $row['typeuser'];
To
$stmt = $con->prepare("SELECT username,password,id,typeuser FROM users WHERE username=? AND password=? ");
$stmt->bind_param("ss",$username,$password);
$stmt->execute();
$stmt->bind_result($user, $pass,$id,$type);
$stmt->fetch();
I have already created a successfull login form that is connected to a database to determine whether or not a login is correct. But i would like to update this so that if an incorrect username or password is entered they will get an error message. Im just not to sure how to implement that into my existing code?...
my user login page:
<form action="../login.php" method="post">
<label for="login-username"><i class="icon-user"></i> <b>Username</b> </label><br/>
<input class="form-control" type="text" name="username">
<br/>
<label for="login-password"><i class="icon-lock"></i> <b>Password</b> </label> <br/>
<input class="form-control" type="password" name="password">
<br/>
<button type="submit" class="btn pull-right">Login</button>
</form>
<?php
if (isset($_SESSION['username'])){
if($_SESSION['logged_in'] = 1){
echo ('Logged in as: '. $_SESSION['username'].' '.$_SESSION['surname']).'<br>Log out';
}
}
?>
and the login.php it is posting to:
<?php
session_start();
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "gpdb";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("connection failed: " . $conn->connect_error);
}
//echo "connection successful";
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM patients where Username ='$username' and Password ='$password'";
$result = $conn->query($sql);
$admin_user = 'admin';
$admin_password = 'admin1';
if ($result->num_rows > 0) {
if ($username === $admin_user || $password === $admin_password ){
foreach($result as $row) {
//echo "PatientID " .$row["PatientID"]."<br>". "First name and Last name: " . $row["Firstname"]. " ".$row["Surname"]. "<br/>";
$_SESSION['id'] = $row["PatientID"];
$_SESSION['username'] = $row["Firstname"];
$_SESSION['surname'] = $row["Surname"];
$_SESSION['logged_in'] = 2;
header("location: http://localhost/index.php");
die;
}
}else{
foreach($result as $row) {
$_SESSION['id'] = $row["PatientID"];
$_SESSION['username'] = $row["Firstname"];
$_SESSION['surname'] = $row["Surname"];
$_SESSION['logged_in'] = 1;
header("location: http://localhost/index.php");
die;
}
}
}else{
$_SESSION['logged_in'] = 0;
header("location: http://localhost/user.php");
die;
}
?>
<?php
if ($result->num_rows > 0){
header("location: http://localhost/index.php");
}else{
echo "Wrong Username or Password <br />".
'Go back...';
}
?>
You may also create a login_failure.php page and in the else part redirect the user to that page. OR another approach is to pass the value of failure message
header("location: http://localhost/user.php?msg = 1");
and display the message at the top of login box. Get the value of 'msg' in user.php page and apply if condition to display the message.
<div><?php
$msg = $_GET['msg'];
if (isset($msg)) { echo "Wrong username/password"; } ?> </div>
<form action="../login.php" method="post">
<label for="login-username"><i class="icon-user"></i> <b>Username</b> </label><br/>
<input class="form-control" type="text" name="username">
<br/>
<label for="login-password"><i class="icon-lock"></i> <b>Password</b> </label> <br/>
<input class="form-control" type="password" name="password">
<br/>
<button type="submit" class="btn pull-right">Login</button>
</form>