I have a login form and it works fine when users enter the correct username and password but nothing happens when the wrong information is entered. How would I get an error message to appear. I have "Login failed" as shown below but this doesnt work for some reason. Any help much appreciated.
<?php
require("config.php");
$submitted_username = '';
if(!empty($_POST)){
$query = "SELECT
id,
username,
password,
salt,
email
FROM users
WHERE
username = :username";
$query_params = array(
':username' => $_POST['username']
);
try{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex){ die("Failed to run query: " . $ex->getMessage()); }
$login_ok = false;
$row = $stmt->fetch();
if($row){
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++){
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['password']){
$login_ok = true;
}
}
if($login_ok){
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: secret.php");
die("Redirecting to: secret.php");
}
else{
print("Login Failed.");
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
?>
Related
I Have login page that i would like to add log file to it, meaning when user logs in it inserts user details to the database.
the first code is my working page
the second code is the statement that I want to insert in my code, but anywhere i add that code my page stops working or no data is passed to database
I would appreciate any help, thank you in advance.
<?php //http://bootsnipp.com/snippets/56A0W - shource code for login page.
require("includes/config/config.php");
$submitted_username = '';
if(!empty($_POST)){
$query = "SELECT id, username, password, salt, email FROM susers WHERE username = :username";
$query_params = array(':username' => $_POST['username']);
try{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex){ die("Failed to run query: " . $ex->getMessage()); }
$login_ok = false;
$row = $stmt->fetch();
if($row){
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++){
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['password']){
$login_ok = true;
}
}
if($login_ok)
{
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header ("Location: includes/Sales/".$_POST["username"]."/".$_POST["username"].".php");
die("Redirecting to: sales.php");
}
else {$err[]='Wrong username and/or password!'; //1
header("Location: sales.php"); //2
} if($err) //3
$_SESSION['msg']['login-err'] = implode('<br />',$err); // 1 and 2 and 3 http://tutorialzine.com/2009/10/cool-login-system-php-jquery/ - source code for Error message
exit;
} ?>
second code
$query = "INSERT INTO suserlog (username) VALUES ( :username)";
I believe the code should go somewhere in
if($login_ok)
figured it out, thanks
<?php
require("includes/config/config.php");
$submitted_username = '';
if(!empty($_POST)){
$query = "SELECT id, username, password, salt, email FROM susers WHERE username = :username;";
$query .= "INSERT INTO suserlog (username) VALUES ( :username)";
Can anyone tell me where I am going wrong with this? Every time it returns with 'login failed' and won't let me pass to the next screen. I'm starting to tare my hair out!!
if(!empty($_POST)) {
$query = "SELECT id, username, password, salt FROM User WHERE username = ?";
$sql = $db->prepare($query);
$sql->bind_param('s', $user);
$user = $_POST['username'];
$sql->execute();
if(!$row = $sql->affected_rows) {
print('There was an error running the query [' . $db->error . ']' . gettype($user));
}
$login_ok = false;
if($row) {
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++) {
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['password']) {
$login_ok = true;
}
}
if($login_ok) {
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: home.php");
die("Redirecting to: home.php");
} else {
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
print("Login Failed. " . $submitted_username);
}
}
Update after Comments and Barmars answer
include '../private/conn.php';
$submitted_username = '';
if(!empty($_POST)) {
$query = "SELECT id, username, password, salt FROM User WHERE username = ?";
$sql = $db->prepare($query);
$sql->bind_param('s', $user);
$user = $_POST['username'];
$sql->execute();
$login_ok = false;
$sql->bind_result($id, $username, $password, $salt);
if ($sql->fetch()) {
$check_password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++) {
$check_password = hash('sha256', $check_password . $salt);
}
if($check_password === $password) {
$login_ok = true;
}
}
if($login_ok) {
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: home.php");
die("Redirecting to: home.php");
} else {
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
print("Login Failed. " . $submitted_username);
}
}
You're never calling $sql->fetch() to get the row. You're setting $row to $sql->affected_rows, which returns a number, then you're trying to use it as an associative array. If you had warnings enabled, you would have seen notices about this error.
WHen using a prepared statement, you need to use bind_result to get the results into variables, and then call fetch() to fetch a row.
$sql->bind_result($id, $username, $password, $salt);
if ($sql->fetch()) {
$check_password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++) {
$check_password = hash('sha256', $check_password . $salt);
}
if($check_password === $password) {
$login_ok = true;
}
}
I'm trying to create a php to change a users password but my php keeps getting hung up on something. I have my code successfully check to ensure you entered the old password correctly, which works fine, however now when I try to update the password with the new password the page changes to a blank screen.
<?php
require("common.php");
if(empty($_SESSION['email']))
{
header("Location: main.php");
die("Redirecting to Frontpage");
}
$fname = $_SESSION['fname']['fname'];
$lname = $_SESSION['lname']['lname'];
$email = $_SESSION['email']['email'];
$queryPost = "SELECT * FROM db WHERE email = :email";
$stmt = $db->prepare($queryPost);
$stmt->bindValue(':email', $email);
$stmt->execute();
$row = $stmt->fetch();
$pass_correct = false;
if($row)
{
$check_password = hash('sha256', $_POST['oldpass'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['pass'])
{
$pass_correct = true;
}
else
{
header("refresh:2; url=accountsettings.php");
die("Old Password incorrect....turning around");
}
}
if($pass_correct)
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['newpass'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query = "UPDATE db SET pass=':pass', salt=':salt' WHERE email = :email";
$query_params = array(':pass' => $password, ':salt' => $salt);
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
header("refresh:2; url=accountsettings.php");
die("Password changed....turning around");
}
?>
I feel its getting caught up at the if($pass_correct) statement
I am creating a website for a university assignment and i have run into a snag while writing some PHP for email address and password change and this error has come up and i can't for the life of me figure out what the issue is.
Error code:
Failed to run query3: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username = chris' at line 1
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
// At the top of the page we check to see whether the user is logged in or not
if(empty($_SESSION['user']))
{
// If they are not, we redirect them to the login page.
header("Location: login.php");
// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}
$username = $_SESSION['user']['username'];
if(!empty($_POST))
{
//check for valid email
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
$emailInvalid = true;
$emailInvalidAmmount = 1;
goto here;
}
//Check if the new E-mail matches existing E-mail address, if it does no action is needed
if($_POST['email'] !=$_SESSION['user']['email'])
{
$query = "SELECT 1 FROM users WHERE email = :email";
$query_params = array (':email' => $_POST['email']);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query1: " . $ex->getMessage());
}
//retrieve results and check if new E-mail address exists in the database
$row = $stmt->fetch();
if($row)
{
$emailExists = true;
$emailExistsAmmount = 1;
}
}
$query ="SELECT password, salt FROM users WHERE username = :username";
$query_params = array(':username' => $username);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query2: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
$check_password = hash('sha256', $_POST['currentPassword'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password == $row['password'])
{
$password_ok = true;
}
if($password_ok = true)
{
$newPassword = $_POST['newPassword'];
$confirmPassword = $_POST['confirmPassword'];
if($newPassword == $confirmPassword)
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_newPassword . $salt);
for($round = 0; $round <65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query ="INSERT INTO users (password, salt) VALUES (:password, :salt)";
$query .= "WHERE username = $username";
$query_params = array(':password' => $password, ':salt' => $salt);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query3: " . $ex->getMessage());
}
}
$passwordChanged = true;
}
}
}
?>
Any help would be much appreciated. Thanks
Since this is for an assignment, I'll be vague. Make sure you're properly parameterizing all of the variables you're including in all of your queries.
I have this hashing of password with my php code. I want to redirect users to edit_password.php if they are new users. I made them a default account with their username and the default password is admin. the password is my basis to redirect. But I am confused on how to make it with my code, kindly check my code, thanks.
Here's my code:
<?php
require("common.php");
$submitted_username = '';
if(!empty($_POST))
{
$query = "
SELECT
id,
username,
password,
salt,
email
FROM users
WHERE
username = :username
";
$query_params = array(
':username' => $_POST['username']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$login_ok = false;
$row = $stmt->fetch();
if($row)
{
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['password']) // <---- i want to insert some code here like if($check_password === $row['password'] || 'admin') to redirect new users. but i dont know how to.
{
$login_ok = true;
}
if($login_ok)
{
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: index.php");
die("Redirecting to: index.php");
}
else
{
echo("<font color=red>Login Failed.</font>");
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
}
?>
Thanks in advance.
if($login_ok)
{
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
if($_POST['password'] === "admin")
{
header("");
}
else
{
header("Location: index.php");
die("Redirecting to: index.php");
}
}
A simple condition check once you have verified the user should do the trick.