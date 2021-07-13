Don’t forget to edit out your passwords
The reason why it lets you in even if your password and username are incorrect is the following:
if(password_verify($DB_password, $Password)) { // confirming password
echo "The password is correct";
}
$_SESSION['Name']= $Username;
header("location: Admin.php"); // redirect user to the Admin.php web page
Follow that logic through - if the password does not match, ie if the “if” is false then you don’t echo the “password correct” message but it then goes on to assign the $_SESSION[‘Name’] and to redirect to Admin.php anyway.
The next issue is that I think you are using the database as the user password? You should never, ever, do this.
Do you have a registration page where the user creates a username and password?
Do you understand how password_hash and password_verify work? It means you never store the actual password on your database. Google it to make sure you understand how it works.
OMG! I got it completely backwards! I thought I was saying “if the password verifies OK”, then continue with SESSION!
Thank you wake689! No, I’ve never used the pw hash nor verify before. I Googled how to code it and that’s and I thought I understood it but obviously I didn’t! Thank you so much!
This is looking ok so far. What I would do next is check the logic. When using the
password_verify() function, you wouldn’t need to pass in the password in your
WHERE clause. So instead, the query should be
$conn->prepare("SELECT * FROM Admin WHERE Username = :Username");
You would also have to bind the placeholder with the variable. Most people use either
bindValue() or
bindParam(). I prefer using an array and passing it into the
execute() method which does the same thing.
Next, you’d have to check the password the user provided with the fully hashed password from that account using
password_verify() when you’ve selected the user’s account.
Just a little reminder, since you’re using
password_verify(), your passwords you have in the database should be changed immediately or you’re going to scratch your head at why your passwords are failing at the verify level.
password_verify() only tries to verify against algorithms that are within
password_hash(). If you still have password hashed in say MD5 or SHA or something, it’ll fail.
If you’re confused on how to get a hashed password, I’d suggest running a test file where you can just have a 1 liner like
<?php
print password_hash('MyCoolPassword,DontForgetToChangeThisLine', PASSWORD_DEFAULT);
That way, you can then copy the password that’s generated using
password_hash() and paste it over your old plain text or old hashed passwords. Also, each page refresh when doing tests like these generates a new hash. So you won’t get the same hashed passwords every time which is what you want.
There’s more to your code that I am seeing, but I’ll let you catch up for now.
When you next get stuck post what you have got so far.
How are you creating the hashed passwords in the first place?
Rather than use the thirdparty phpcodechecker.com I prefer to use PHP’s built in declare(strict_type=1); and error_reporting(_1); because the code just stops until the errors are cleared. Exact details are displayed where the error occurred.
There is a similar error validation script for MySQL which can be obtained from:
I personally would only pull only the data that you need from the database table that you need:
$sql = "SELECT id, password FROM Admin WHERE username =:username LIMIT 1";
Then prepare the query string:
$stmt = $conn->prepare($sql);
Execute it
$stmt->execute([ 'username' => $username ]);
Fetch the data
$result = $stmt->fetch(PDO::FETCH_ASSOC);
then perform the necessary login steps:
if ($result && password_verify($password, $result['password'])) {
unset($password, $result['password']);
session_regenerate_id(); // prevent session fixation attacks
$last_login = $_SESSION['last_login'] = time();
$id = $_SESSION['id'] = $result['id'];
return true;
}
$error = $_Session['error'] = 'Unable to login in!';
return false;
Once the user is logged in then the rest of the data could simply be pulled in by a simple query.
Obviously the code isn’t tested, but that is how I would go about do it and hope this helps out a little bit?
(This was meant to be a reply to the OP)
@wake689, I’ve never used the hashed password before but I found some good references to follow.
@spaceshiptrooper I got the error message working but I got a new error " Cannot modify header information - headers already sent by -snip-** on line 35". This is what is on line 35
header("location: Admin.php"); // redirect user to the Admin.php web page.
I spent a bit of time researching what that was and I couldn’t see any white spaces and just in case, I made sure there were none. At least is not letting me sign in as before!
<?php
session_start();
if (isset($_POST["Login"])) {
checkLogin($_POST["Name"], $_POST["Password"]);
}
function checkLogin($Username, $Password) {
$servername = "localhost";
$DB_username = "User1";
$DB_password = "password";
$stored_password='$2y$12$JjbjqRYzxFO2L4.rcPdW/OcVCR1KUIDCN6DvsIUDFaR7JxKTSMh/2';
try {
$conn = new PDO("mysql:host=" . $servername . ";dbname=e0912343_Fixtures", $DB_username, $DB_password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$statement = $conn->prepare("SELECT * FROM Admin WHERE Username= :Username");
$result= $statement->execute(array(':Username'=>':Username'));
if ($result){
if(password_verify('User1', $stored_password)) {
echo "<script> alert('The ID or password entered is not valid. Please enter a valid username and password') </script>";
} else {
echo "Welcome to the Admin Page!";
}
$_SESSION['Name']= $Username;
header("location: Admin.php"); // redirect user to the Admin.php web page
}
}
catch(PDOException $e) {
echo "An error occured: " . $e->getMessage();
}
$conn = null;
}
?>
@wake689, can I please clarify a bit more… “Follow that logic through - if the password does not match, ie the “if” is false”… I’m getting a bit confused because I thought that if the pw didn’t match, the else statement would take over but it seems that it works as “false” first?
@Pepster64 thanks for your suggestion. I may take a turn that way if this doesn’t work!
@mabismad thank you for your post. I had to read it carefully, there’s lots of information on it. As I mentioned before, I’m new at this, and learning PHP has been a hard but interesting road. There are too many ways of doing the same thing in my opinion and that makes it easier to get off the rails and get confused. I’ve read many articles and watched many videos in order to work on my project. At college, the motto has been to you give you the basics and let you get both immersed and lost in the wild to learn the language and I’m not so sure it’s the right move but I’m not sure which is! In your view, is there a more systematic approach to learn it?
You have corrected that error in your latest code. This was in reply to the code you posted as
if(password_verify($DB_password, $Password)) { // confirming password
echo "The password is correct";
}
$_SESSION['Name']= $Username;
header("location: Admin.php"); // redirect user to the Admin.php web page
}
else {
echo '<script type="text/javascript">alert("The username or password entered is not valid. Please enter a valid username and password")</script>';
}
where you close the action to be taken if the “if” condition is true after the line
echo '<script type="text/javascript">alert("The username or password entered is not valid. Please enter a valid username and password")</script>';
and then after the closing
} you set the session variable and sent the user off to Admin.php. But you have corrected that in your latest code.
See https://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php
I think you probably shouldn’t be starting the session until the user has successfully logged in - I think having
session_start();
at the top of the page is causing that error message when you try and use
header("location: Admin.php");
I would have thought it would be easier to be taught rather than just told to “Google it”! But I don’t know - I am old enough for coding to have not been taught when I was at school.
I taught myself HTML 25+ years ago, when it was just HTML3 and hand coded my first personal website in a text editor (on the Amiga computer). I then came back to web coding about 2 years ago and have been teaching myself HTML5, CSS, PHP, mySQL and a little (only a little, so far!) javascript. I have used a mixture of books, YouTube, Google, forums. I am no kind of expert at all, but I am earlier enough in my learning curve to remember my early mistakes and misunderstandings.
I have a couple of further points to make about your code.
- Re password_hash. I’m not sure wether you understand that it works as follows:
password_hash() takes a password as input and then encrypts it and outputs the encrypted password which you then store in your database. This cannot be reverse engineered to obtain the password - no-one can take this encrypted password and work out what the password is.
password_verify() then takes two arguments (“inputs” if you like) - one is this encrypted password, from your database, that was created by password_hash (usually when a user registers) (eg
$2y$12$JjbjqRYzxFO2L4.rcPdW/OcVCR1KUIDCN6DvsIUDFaR7JxKTSMh/2
) and the other is the password entered by the user when attempting to log on (eg ‘MyDogFido123’).
password_verify then passes a result of either true or false, depending on whether the encrypted password matches the plain text password.
That’s why I wondered how you are creating the password that is stored in your database table “Admin”.
- My second point is that I think you may be trying to use the database password as the user login password. But no-one else has picked up on this so far so I am beginning to doubt myself a little (but only a little). Are you getting these two sets of passwords/usernames mixed up - the database username/password and the username/password of the person who is trying to login in to your site?
I hope I am explaining things OK here - others will hopefully chime in to say whether this is indeed a mistake that you are making or whether I have got this wrong.
A login script is a quite a complicated thing to start with with PHP. As you have found out!
Alright, it seems too many people are giving you pointers which is probably overwhelming you. And the links being thrown into the mix probably makes it worse. Taking bits of everything all of us are telling you and mixing it which most likely won’t work and further the confusion. This is why I only mentioned the
password_verify() portion of it. Otherwise, I’d give you more information.
So I’m just going to help you fix the header error and let others help you since there’s too many cooks in the kitchen.
To solve the header problem, the reason why it happens is there is output after a
header() function. This includes not just white spaces, but other various things like HTML, CSS, Javascript, etc. This is generally why I use
if-else instead of just
if. To get things started, I’d suggest putting all your data selection and
$_POST related items within an if statement of
$_SERVER['REQUEST_METHOD']. Then everything like your HTML related items in the
else part of the statement.
Here’s a small sample just to get started.
if($_SERVER['REQUEST_METHOD'] == 'POST') {
// Put all of your database and logic stuff here.
} else {
// Put all of your HTML stuff here.
}
@wake689, thanks for the password_hash explanation. I understand that better now! And no, I named the password “DB_password” for the user on purpose, so that I wouldn’t confused it with the actual database password. I thought it was a good idea at the time! This user only has privileges to view, edit and delete data on one table in the database. My question on the “IF” was more so on how to read to sound out the logic properly to follow what it was doing
Is your latest code still this?
<?php
session_start();
if (isset($_POST["Login"])) {
checkLogin($_POST["Name"], $_POST["Password"]);
}
function checkLogin($Username, $Password) {
$servername = "localhost";
$DB_username = "User1";
$DB_password = "password";
$stored_password='$2y$12$JjbjqRYzxFO2L4.rcPdW/OcVCR1KUIDCN6DvsIUDFaR7JxKTSMh/2';
try {
$conn = new PDO("mysql:host=" . $servername . ";dbname=e0912343_Fixtures", $DB_username, $DB_password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$statement = $conn->prepare("SELECT * FROM Admin WHERE Username= :Username");
$result= $statement->execute(array(':Username'=>':Username'));
if ($result){
if(password_verify('User1', $stored_password)) {
echo "<script> alert('The ID or password entered is not valid. Please enter a valid username and password') </script>";
} else {
echo "Welcome to the Admin Page!";
}
$_SESSION['Name']= $Username;
header("location: Admin.php"); // redirect user to the Admin.php web page
}
}
catch(PDOException $e) {
echo "An error occured: " . $e->getMessage();
}
$conn = null;
}
?>
If so, your password checking is
if(password_verify('User1', $stored_password)) {
So
$stored_password is the hashed password. But you are checking this against
User1. As far as I can see you are not checking
$Password which is the password entered by the user?