Don’t guess. Guessing leads to mistakes.
Its the right way to do it …
Thanks for that correction
No problem. Now you have to fix your other code from what I can see. A lot of it too.
1 Like
HELLO!! MY LOGIN PAGE DOES NOT EXECUTE KINDLY ASSIST. I THINK ITS RIGHT MAYBE I AM MISSING SOMETHING THANKS!
CODE
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
session_start();
include_once 'connect/conn.php';
?>
<?php
if($_SERVER['REQUEST_METHOD'] == 'POST'){
$username = $_POST['username'];
$password = $_POST['password'];
$message = "";
$stmt = $dbh->prepare("SELECT username, password FROM users WHERE username=? AND password=? ");
$stmt->execute(array($username,$password));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if($stmt->rowCount() > 0 && password_verify($_POST['password'], $password)) {
header('http://localhost/auth/welcome.php');
} else {
$message = "Incorrect username / password combination!";
}
}
?>Your query isn’t going to return anything unless you are storing passwords in plain text in your database. Reading the code further up the thread it seems that you are not doing that, so including the un-encoded password in your query isn’t going to return anything - no rows will match the username and plaint-text password from the form. Drop the password from the query completely, and use password_verify() on the results from the query.
I also suspect this line might be causing you a problem:
if($stmt->rowCount() > 0 && password_verify($_POST['password'], $password)) {
Here, you’re calling password_verify with the same variables (as $password is assigned to the $_POST variable a few lines up) where I suspect you really want to be verifying it against the hashed password you retrieved from the database.
If I haven’t guessed the problem correctly, perhaps you could explain in a bit more detail what is not working for you, exactly how it fails to execute.
2 Likes
This piece will never work.
Taking a look at where the $password variable is coming from, it seems to be coming from exactly the same source. I believe the 2nd argument of password_verify requires the 2nd argument to be a hashed password. The source you are grabbing $password from isn’t hashed.
This will also not work. Like @droopsnoot has said, unless you are storing passwords as plain text, you won’t get the results you want. So remove the password part.
1 Like
Even if you did hash the password to send it as part of the query… don’t. It’s one more potential security hazard for someone to use to crack your system. The fewer number of times you use user-generated information in your queries the better.
2 Likes
When put the correct username and password it does not take me to the header page welcome.php it remains on the same page login.php
My password are hashed…
What are the form’s action and method attribute values?
What is the way forward because I am new to PHP
Forms action i didnt put anything " " method “POST”
That could be your problem. AFAIK, when action is not specified “the same page” is used. Try having it be the PHP file (signup.php)
I don’t know. What happened when you tried it?
1 Like
It worked FINE meaning the code worked perfectly okay. Just put the action " welcome.php " on both my login.php and signup.php and it took me to the other page.
Thanks!
1 Like
Hope its the right way of doing it, since we are new to PHP.
It’s more correctly a right way than the right way. (there’s rarely only one way to do something) But as far as I can tell from what I’ve looked at I’d say it’s fine as long as it isn’t erroring.
One change I would suggest is getting rid of the “exit PHP, new line, enter PHP” bit between the include and if lines.
include_once 'connect/conn.php';
?>
<?php
if($_SERVER['REQUEST_METHOD'] == 'POST') {
TBH, I’m surprised that isn’t causing a “headers already sent” error. In any case, it isn’t needed.
1 Like
There’s lots of reasons why it just “sits there”. I am going to take a wild guess and say that you are using XAMPP like most beginners do. Look through your XAMPP installation folder and then apache\logs\error.log. This should give you all the information you need. What I would do is delete everything from that file so that it’s an empty file. Then I would resubmit the data and then once I see the blank page, I would then go into the error.log file and see if there are any errors being logged to that file.