I'm currently trying to finetune a login script, only I have one small issue- the HTML isn't showing. I tried to put the HTML in front of the PHP, but the
session_start(); depends on the fact that it's at the top, so if I put the HTML before the PHP, the HTML renders, but the PHP is invalid. This is normal- however, the fact that the HTML doesn't show isn't.
Just to clarify, this is a .php document.
FULL CODE:
<?php
ob_start();
session_start();
require_once 'dbconnect.php';
// it will never let you open index(login) page if session is set
if ( isset($_SESSION['user'])!="" ) {
header("Location: home.php");
exit;
}
if( isset($_POST['btn-login']) ) {
$email = $_POST['email'];
$upass = $_POST['pass'];
$email = strip_tags(trim($email));
$upass = strip_tags(trim($upass));
$password = hash('sha256', $upass); // password hashing using SHA256
$res=mysql_query("SELECT userId, userName, userPass FROM users WHERE userEmail='$email'");
$row=mysql_fetch_array($res);
$count = mysql_num_rows($res); // if uname/pass correct it returns must be 1 row
if( $count == 1 && $row['userPass']==$password ) {
$_SESSION['user'] = $row['userId'];
header("Location: home.php");
} else {
$errMSG = "Wrong Credentials, Try again...";
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login & Registration System</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
<link rel="stylesheet" href="http://demos.codingcage.com/signup-login/style.css" type="text/css" />
</head>
<body>
<div class="container">
<div id="login-form">
<form method="post" autocomplete="off">
<div class="col-md-12">
<div class="form-group">
<h2 class="">Sign In.</h2>
</div>
<div class="form-group">
<hr />
</div>
<?php
if ( isset($errMSG) ) {
?>
<div class="form-group">
<div class="alert alert-danger">
<span class="glyphicon glyphicon-info-sign"></span> <?php echo $errMSG;
?>
</div>
</div>
<?php
}
?>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span></span>
<input type="email" name="email" class="form-control" placeholder="Your Email" required />
</div>
</div>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
<input type="password" name="pass" class="form-control" placeholder="Your Password" required />
</div>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<button type="submit" class="btn btn-block btn-primary" name="btn-login">Sign In</button>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
Sign Up Here...
</div>
</div>
</form>
</div>
</div>
</body>
</html>
put this at the top..
error_reporting(E_ALL);
ini_set('display_errors', 1);
and it will tell you what the error is so people on stack overflow don't have to guess..
also, mysql_* functions are deprecated. if you want to get hacked, that's cool. if not, maybe look into PDO instead.
EDIT
I can't comment on the other answer yet so I'll just say here that isset returns a boolean. Comparing a boolean to an empty string with == has the exact same effect as comparing it with false ...this is unconventional, but it's not incorrect and it's certainly not causing any kind of error.
Proof: https://3v4l.org/vr8UU
The other answer is wrong.
if (isset($_SESSION['user'])!="" ) { this is not how isset() works.
Use: if (isset($_SESSION['user'])) { instead.
http://php.net/manual/en/function.isset.php
And remove the exit. It isn't necessary at this place.
Related
I am currently working on a little website and I came across the problem that, whenever I go on the site the error message is there.
How can I make it that it only appears after the form is submitted and the values are wrong?
Thats the code:
<?php
session_start();
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
if($_POST['username'] and $_POST['userpasswd'])
{
require './classes/_connection.php';
require './classes/_account.php';
$account = new Account();
$username = $_POST['username'];
$password = $_POST['userpasswd'];
$username = trim($username);
$password = trim($password);
$_SESSION["username"] = $username;
try
{
$login = $account->loginWebsite($username, $password);
}
catch (Exception $e)
{
echo $e->getMessage();
die();
}
if ($login)
{
header ("LOCATION: ./dashboard.php");
}
else
{
// show the alert message here
}
}
}
else
{
}
?>
<html lang="en">
<head>
<title>my site</title>
<!--- META -->
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!--- CSS --->
<link rel="stylesheet" href="./css/style.css">
<link rel="stylesheet" href="./css/bootstrap.css">
<link rel="stylesheet" href="./css/messagebox.css">
</head>
<body>
<div class="vertical-center">
<div class="container">
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12 d-flex align-items-center justify-content-center">
<div class="d-flex align-items-center justify-content-center text-center loginArea">
<div class="container">
<form action="" method="post">
<div class="alert">
<span class="closebtn" onclick="this.parentElement.style.display='none';">×</span>
Wrong username or password
</div>
<div class="col-xs-12 col-sm-12 col-md-12">
<input class="inputrow" required type="text" size="40" maxlength="250" name="username" placeholder="Username" autofocus>
</div>
<div class="col-xs-12 col-sm-12 col-md-12">
<input class="inputrow" required type="password" size="40" maxlength="250" name="userpasswd" placeholder="Password">
</div>
<div class="col-xs-12 col-sm-12 col-md-12">
<input class="inputbutton" type="submit" value="Login">
</div>
</form>
</div>
</div>
</div>
</div>
</div>
It is about the:
<div class="alert">
<span class="closebtn" onclick="this.parentElement.style.display='none';">×</span>
Wrong username or password
</div>
How can I make it that it only appears after the php if statement is false?
You must write this at the end of your code:
<?php } ?>
and modify your last else to:
else {
Full snippet: https://pastebin.com/raw/yCK6M2v8
You can modify your code like below
else
{
// show the alert message here
?>
<div class="alert">
<span class="closebtn" onclick="this.parentElement.style.display='none';">
×</span> Wrong username or password
</div>
<?php
}
I wrote a code when a user clicks "delete" but it doesn't delete the account, only logs out, I tried searching on internet but nothing was found that helped me.
Here's the code:
<?php include('server.php');
session_start();
if (isset($_GET['delete'])) {
$query = "DELETE FROM `users` WHERE `username` = '$username', `password`='$password'";
mysqli_query($db, $query);
session_destroy();
unset($_SESSION['username']);
unset($_SESSION['password']);
unset($_SESSION['money']);
header("location: login.php");
}
?>
Is there any solutions to this code? should I use AND instead of comma, because it didn't work that way, maybe there's an mistake.
$query has the same code that was used on phpmyadmin and it was successful there.
Sorry about the server.php
Here is the code of it:
Also using md5 for encrypting passwords is not good idea, I probably need to change it.
Here is login.php where the first code came from (the register button is not programmed properly):
<?php include('server.php');
session_start();
if (isset($_GET['delete'])) {
$stmt = $db->prepare('DELETE FROM users WHERE username = ? AND password = ?');
$stmt->bind_param('ss', $_SESSION['username'], $_SESSION['password']); // 's' specifies the variable type => 'string'
$stmt->execute();
session_destroy();
unset($_SESSION['username']);
unset($_SESSION['password']);
unset($_SESSION['money']);
header("location: login.php");
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
<link rel="stylesheet" type="text/css" href="style.css">
<script>
function register() {
header("location: register.php");
}
</script>
</head>
<body>
</br>
</br>
</br>
</br>
</br>
</br>
</br>
</br>
<form method="post" action="login.php" align="center">
<?php include('errors.php'); ?>
<div class="input-group">
<label>Username</label>
<input type="text" name="username" >
</div>
<div class="input-group">
<label>Password</label>
<input type="password" name="password">
</div>
<br/>
<div class="input-group">
<button type="submit" class="btn" name="login_user">Login</button>
</div>
<p></p></br>
<p>
<small class="input-group"> Not yet a member? </small> <button type="button" class="btn2" onclick="register()" name="register">Register</button>
</p>
</form>
</body>
</html>
This is register.php:
<?php include('server.php') ?>
<!DOCTYPE html>
<html>
<head>
<title>Registration system PHP and MySQL</title>
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
</br></br></br></br></br></br></br>
<div class="header">
<h2>Register</h2>
</div>
<form method="post" action="register.php">
<?php include('errors.php'); ?>
<div class="input-group">
<label>Username</label>
<input type="text" name="username" value="<?php echo $username; ?>">
</div>
<div class="input-group">
<label>Email</label>
<input type="email" name="email" value="<?php echo $email; ?>">
</div>
<div class="input-group">
<label>Password</label>
<input type="password" name="password_1">
</div>
<div class="input-group">
<label>Confirm password</label>
<input type="password" name="password_2">
</div>
<div class="input-group">
<button type="submit" class="btn" name="reg_user">Register</button>
</div>
<p>
Already a member? Sign in
</p>
</form>
</body>
</html>
This is errors.php:
<?php if (count($errors) > 0) : ?>
<div class="error">
<?php foreach ($errors as $error) : ?>
<p><?php echo $error ?></p>
<?php endforeach ?>
</div>
<?php endif ?>
This is index.php:
<?php
session_start();
if (!isset($_SESSION['username'])) {
$_SESSION['msg'] = "You must log in first";
header('location: login.php');
}
if (isset($_GET['logout'])) {
session_destroy();
unset($_SESSION['username']);
unset($_SESSION['password']);
unset($_SESSION['money']);
header("location: login.php");
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Home</title>
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<div class="content">
<!-- notification message -->
<?php if (isset($_SESSION['success'])) : ?>
<div class="error success" >
<h3>
<?php
echo $_SESSION['success'];
unset($_SESSION['success']);
?>
</h3>
</div>
<?php endif ?>
<!-- logged in user information -->
<?php if (isset($_SESSION['username'])) : ?>
<p>Welcome <strong><?php echo $_SESSION['username']; ?></strong></p>
<p> logout </p>
<p> delete </p>
<?php endif ?>
</div>
</body>
</html>
Without knowing what the content of server.php is, I can see a few error. First, your code is vulnerable for SQL Injections. There are several topics about this on SO, rather read that one here.
Starting with your code - $db,$username, $password are undefined. Guessing from the next lines, it has to be $_SESSION['username'] and $_SESSION['password'] instead.
Also, the SQL doesn't look valid to me, but that's one thing I am not sure about - according to my brain it should be
$stmt = $db->prepare('DELETE FROM users WHERE username = ? AND password = ?');
$stmt->bind_param('ss', $_SESSION['username'], $_SESSION['password']); // 's' specifies the variable type => 'string'
$stmt->execute();
Also I hope you don't store passwords in plaintext.
I've reset my database and on registration, we added random salt to hashes, and the registration script worked fine, we could create accounts and accounts with the same password and they had different hashes, but our login script is broken, not logging in users, saying their password is incorrect.
No idea why- we have spent the last 2 hours trying to fix it. We have used PHP error checkers(https://phpcodechecker.com/), nothing was wrong.
We are running an old version PHP(5.6) and MySQL and can't currently change.
<?php
ob_start();
session_start();
require_once 'dbconnect.php';
// it will never let you open index(login) page if session is set
if ( isset($_SESSION['user'])!="" ) {
header("Location: index.php");
exit;
}
$error = false;
if( isset($_POST['btn-login']) ) {
// prevent sql injections/ clear user invalid inputs
$email = trim($_POST['email']);
$email = strip_tags($email);
$email = htmlspecialchars($email);
$name = trim($_POST['name']);
$name = strip_tags($name);
$name = htmlspecialchars($name);
$pass = trim($_POST['pass']);
$pass = strip_tags($pass);
$pass = htmlspecialchars($pass);
// prevent sql injections / clear user invalid inputs
if(empty($name)){
$error = true;
$nameError = "Please enter your username.";
}
if(empty($pass)){
$error = true;
$passError = "Please enter your password.";
}
$res=mysql_query("SELECT userId, userEmail, userPass, userSalt, userSalt2 FROM users WHERE userName='$name'");
$row=mysql_fetch_array($res);
$row['userSalt']=$salt1;
$row['userSalt2']=$salt2;
// if there's no error, continue to login
if (!$error) {
$passwordHash = hash('sha256', $salt1 . $password . $salt2); // password hashing using SHA256
//$res=mysql_query("SELECT userId, userEmail, userPass, userSalt, userSalt2 FROM users WHERE userName='$name'");
//$row=mysql_fetch_array($res);
$count = mysql_num_rows($res); // if email/pass correct it returns must be 1 row
if( $count == 1 && $row['userPass']==$passwordHash ) {
$_SESSION['user'] = $row['userId'];
header("Location: dashboard.php");
} else {
$errMSG = "Incorrect Credentials, Try again...";
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<script src="//code.jquery.com/jquery-1.10.2.js"></script>
<script>
$(function(){
$("#overallhead").load("overall_header.php");
$("#overallfoot").load("overall_footer.html");
});
</script>
<style>
body {
color: Thistle;
}
</style>
<div id="overallhead"></div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Creature Paradise</title>
<link rel="stylesheet" href="assets/css/bootstrap.min.css" type="text/css" />
<link rel="stylesheet" href="style.css" type="text/css" />
</head>
<body>
<div class="container">
<div id="login-form">
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" autocomplete="off">
<div class="col-md-12">
<div class="form-group">
<h2 class="">Login</h2>
</div>
<div class="form-group">
<hr />
</div>
<?php
if ( isset($errMSG) ) {
?>
<div class="form-group">
<div class="alert alert-danger">
<span class="glyphicon glyphicon-info-sign"></span> <?php echo $errMSG; ?>
</div>
</div>
<?php
}
?>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span></span>
<input type="name" name="name" class="form-control" placeholder="Your Username" value="<?php echo $name; ?>" maxlength="40" />
</div>
<span class="text-danger"><?php echo $nameError; ?></span>
</div>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
<input type="password" name="pass" class="form-control" placeholder="Your Password" maxlength="15" />
</div>
<span class="text-danger"><?php echo $passError; ?></span>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<button type="submit" class="btn btn-block btn-primary" name="btn-login">Sign In</button>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
Don't have an account? Sign up here!
</div>
</div>
</form>
</div>
</div>
<div id="overallfoot"></div>
</body>
</html>
<?php ob_end_flush(); ?>
Have you do hashing on registration page, too? Because $row['userPass'] will never equal $passwordHash if you have not registration a new account with new hash applied
Okay, So I have this log in page here all I want it to do is log me in and send me too "index.php". I know my email is correct and the password and everything is good. it all works it just stays on the same page though instead of actually sending me to "index.php". Im new to php and it is probably something stupid but any help would be greatly appreciated. Please and Thank you! :)
<link rel="stylesheet" href="styles.css" />
<?php
session_start();
if(isset($_SESSION['usr_id'])!="") {
header("Location: index.php");
}
include_once 'dbconnect.php';
//check if form is submitted
if (isset($_POST['login'])) {
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$result = mysqli_query($conn, "SELECT * FROM users WHERE email = '" . $email. "' and password = '" . md5($password) . "'");
if ($row = mysqli_fetch_array($result)) {
$_SESSION['usr_id'] = $row['id'];
$_SESSION['usr_name'] = $row['name'];
header("Location: index.php");
$successmsg = "SWEET YOU'RE IN!";
//echo "success";
} else {
$errormsg = "Incorrect Email or Password!!!";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>PHP Login Script</title>
<meta content="width=device-width, initial-scale=1.0" name="viewport" >
<link rel="stylesheet" href="css/bootstrap.min.css" type="text/css" />
</head>
<body>
<div class="container-fluid">
<!-- add header -->
<div class="navbar-header">
</div>
<!-- menu items -->
<div class="collapse navbar-collapse" id="navbar1">
<ul class="navbar">
<li class="active">Login</li>
<li>Sign Up</li>
</ul>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-4 col-md-offset-4 well">
<form role="form" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="loginform">
<fieldset>
<legend>Login</legend>
<div class="form-group">
<label for="name">Email</label>
<input type="text" name="email" placeholder="Your Email" required class="form-control" />
</div>
<div class="form-group">
<label for="name">Password</label>
<input type="password" name="password" placeholder="Your Password" required class="form-control" />
</div>
<div class="form-group">
<input type="submit" name="login" value="Login" class="btn btn-primary" />
</div>
</fieldset>
</form>
<span class="text-danger"><?php if (isset($errormsg)) { echo $errormsg; } ?></span>
<span class="text-success"><?php if (isset($successmsg)) { echo $successmsg; } ?></span>
</div>
</div>
</div>
</body>
</html>
Where you have this:
if(isset($_SESSION['usr_id'])!="") {
You want this:
if(isset($_SESSION['usr_id']) && $_SESSION['usr_id'] != "") {
Note that what's in $_SESSION['usr_id'] will be the id column from your database. It's not clear from context if such a column exists, so perhaps double check that there really is a value there before the initial redirect (i.e., just after checking the credentials).
Side note: don't use MD5() to hash passwords. MD5 isn't as secure as you'd want a password hash to be.
I have 2 projects 1 is just for checking username and password if they exist in the database,which has the function password_verify() working , and the other u can sign up and then log in, but in this 1 the function password_verify is always returning false even thought i have the same code written in both but changed the table name i will post the project, so if anyone can help me please.
I did check that it is connecting to the database normally and returning the email result correct but when it comes to comparing hashed pass with the one entered it's always false.
Index.php is the main page and contains only two php lines:
include("signup.php");
include("login.php");
Connection.php
<?php
$server="localhost";
$db_username="myusername";
$db_password="mypassword";
$db="test_db";
$conn=mysqli_connect($server,$db_username,$db_password,$db);
if(!$conn)
die ("Connection Failed: ".mysqli_connect_error());
?>
signup.php
<?php
session_start();
if(isset($_POST['signup']))
{
function validateFormData($formData)
{
$formData=trim(stripcslashes(htmlspecialchars($formData)));
return $formData;
}
$email=validateFormData($_POST['email']);
$password=validateFormData($_POST['password']);
if(!$_POST['email'])
$error.="Please enter an email<br>";
else if(!filter_var($_POST['email'],FILTER_VALIDATE_EMAIL))
{
$error.="Please enter a valid email<br>";
}
if(!$_POST['password'])
$error.="Please enter a password<br>";
else
{
if(strlen($_POST['password'])<8)
$error.="Password must contain at least 8 characters<br>";
if(!preg_match('`[A-Z]`',$_POST['password']))
$error.="Password must contain at least one capital letter<br>";
}
if($error)
{
echo "<div class='alert alert-danger text-center lead'><a class='close red' data-dismiss='alert'>×</a>".$error."</div>";
}
else
{
include('connection.php');
$query="SELECT * FROM `diary` WHERE email='".mysqli_real_escape_string($conn,$email)."'";
$result=mysqli_query($conn,$query);
$results=mysqli_num_rows($result);
if($results)
echo "<div class='alert alert-danger text-center lead'>This email already exists, do you want to log in?<a class='close red' data-dismiss='alert'>×</a></div>";
else
{
$selectUser=mysqli_real_escape_string($conn,$email);
$hashedPass=password_hash($password,PASSWORD_DEFAULT);
$query="INSERT INTO `diary`(`email`, `password`) VALUES ('$selectUser','$hashedPass')";
mysqli_query($conn,$query);
echo "<div class='alert alert-success text-center lead'>You've been signed up!<a class='close green' data-dismiss='alert'>×</a></div>";
$_SESSION['id']=mysqli_insert_id($conn);
}
}
}
?>
login.php
<?php
if(isset($_POST['login']))
{
function validateFormData($formData)
{
$formData=trim(stripcslashes(htmlspecialchars($formData)));
return $formData;
}
$formEmail=validateFormData($_POST['loginEmail']);
$formPass=validateFormData($_POST['loginPassword']);
$newPass=password_hash($formPass,PASSWORD_DEFAULT);
echo $newPass;
include("connection.php");
$query="Select * from diary where email='$formEmail' ";
$result=mysqli_query($conn,$query);
if(mysqli_num_rows($result)>0)
{
while($row=mysqli_fetch_assoc($result))
{
$LogEmail= $row['email'];
$LogPass= $row['password'];
echo "<br>".$LogPass;
}
if(password_verify($newPass,$LogPass))
{
echo "<br>Correct Password";
}
else
echo "<br>Not Correct";
}
}
?>
output of $newPass is :"$2y$10$dw0AtEExMc41p4nUB3W9kOOWTcNZmQev9jM4emNn7oQNODfu6Ld.q"
output of $LogPass is : "$2y$10$biz6Z5nxsMZXNf7p3ebqw.pksPb1VhWEmoan776rMqOC7VcFRQbrK"
Index
<?php
include("signup.php");
include("login.php");
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<title>Secret Diary</title>
<link rel="stylesheet" href="css/Normalize.css">
<link rel="stylesheet" href="bootstrap/css/bootstrap.min.css">
<link rel="stylesheet" href="css/style.css">
<!--[if IE]>
<script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body>
<div class="container">
<form class="form-horizontal emailForm" role="form" method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>">
<legend><h1 class="text-center">Sign Up</h1></legend>
<div class="form-group">
<label class="control-label col-sm-2" for="email" >Email:</label>
<div class="col-sm-10">
<input type="email" class="form-control" style="width:90%" id="email" placeholder="Enter Email" name="email" value="<?php echo addslashes($_POST['email']);?>">
</div>
</div>
<div class="form-group">
<label class="control-label col-sm-2" for="pwd">Password:</label>
<div class="col-sm-10">
<input type="password" class="form-control" style="width:90%" id="pwd" placeholder="Password" name="password">
</div>
</div>
<div class="form-group">
<div class="col-sm-offset-2 col-sm-10">
<button type="submit" class="btn btn-success " id="btnClick" name="signup">Sign Up</button>
</div>
</div>
</form><!--SIGN UP-->
<form class="form-horizontal emailForm" role="form" method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>">
<legend><h1 class="text-center">Log In</h1></legend>
<div class="form-group">
<label class="control-label col-sm-2" for="LogInEmail" >Email:</label>
<div class="col-sm-10">
<input type="email" class="form-control" style="width:90%" id="LogInEmail" placeholder="Enter Email" name="loginEmail" value="<?php echo addslashes($_POST['loginEmail']);?>">
</div>
</div>
<div class="form-group">
<label class="control-label col-sm-2" for="LogInPassword">Password:</label>
<div class="col-sm-10">
<input type="password" class="form-control" style="width:90%" id="LogInPassword" placeholder="Password" name="loginPassword">
</div>
</div>
<div class="form-group">
<div class="col-sm-offset-2 col-sm-10">
<button type="submit" class="btn btn-success " id="btnClick" name="login">Log In</button>
</div>
</div>
</form><!--LOG IN-->
</div>
<script src="js/JQuery.min.js"></script>
<script src="bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
<script src="js/script.js" type="text/javascript"></script>
</body>
</html>
You overwrite your $password when you include your dbconnection.
include('connection.php');
has:
$password="mypassword";
Previously you set:
$password=validateFormData($_POST['password']);
so your hashed password is not the user's password, but your DB password.
I would prefix all DB credentials variables with db_. So your database password variable would then be $db_password. This will allow you to have distinct variables throughout your project (I'd think).
Additionally you should be using $formPass, not $newpass. The $newpass is going to be double hashed at the verify function.
$formEmail=validateFormData($_POST['loginEmail']);
$formPass=validateFormData($_POST['loginPassword']);
$newPass=password_hash($formPass,PASSWORD_DEFAULT);
so change:
if(password_verify($newPass,$LogPass))
to:
if(password_verify($formPass, $LogPass))
password_verify expects the cleartext password as its first argument. To fix your code, remove this line:
$newPass=password_hash($formPass,PASSWORD_DEFAULT);
And change this line:
if(password_verify($newPass,$LogPass))
To the following:
if(password_verify($formPass,$LogPass))