I am using Wamp. But let me do it…
My comments above still stand - if you store hashed passwords in the database, then your query (which includes a non-hashed password as part of the query conditions) will never return any data. Even if it did, you’re calling password_verify()
on the same two variables, not on the information you got back from the query. Neither of those are errors as-such, so would they appear in the error log? I haven’t checked, I must admit. The first is not an error because the query just didn’t return any matching rows, and the second isn’t because the two variables won’t give a match. Not the results you want, but not specifically an error, like trying to open a file that doesn’t exist, or accessing something without the correct permissions.
First step - change the query to not include the password in the conditions. Second step, change the password_verify()
line to use the data you retrieved from the query.
okay let me do that thanks
@spaceshiptrooper There no errors being logged in to the file error.log I have tried to submit it thrice and still no errors.
Check your php.ini
file. It should be in the php
folder. Make sure that error logging is enabled and that it’s sending it to a file.
Have you fixed the query now?
log_errors
; Default Value: on
; Development Value: On
; Production Value: On
@spaceshiptrooper Its on or have I gone to the wrong folder location???
I have tried this but the catch is…Any name and password can be able to go to the other page “header(‘http://localhost/auth/index.php’);”
I dont were the problem is now??? kindly assist
here is the code after fixing it
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
session_start();
include_once 'connect/conn.php';
?>
<?php
if($_SERVER['REQUEST_METHOD'] == 'POST'){
$username = $_POST['username'];
$password = $_POST['password'];
$message = "";
$stmt = $dbh->prepare("SELECT username FROM users WHERE username = ? ");
$stmt->execute(array($username));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if(password_verify($_POST['password'], $hash)) {
header('http://localhost/auth/index.php');
} else {
$message = "Incorrect username / password combination!";
}
}
?>
Isn’t it header('location: http://localhost/auth/index.php')
?
Show 10 lines from top of log_errors
and 10 lines from bottom of ; Production Value: On
.
Yes it sit forgot to put it sorry for that…
@spaceshiptrooper I do not get you there…
Yes, but that’s because you’ve also removed the password check, and don’t check whether any rows in the database actually match the username you passed in. I only suggested you remove the password check condition from the query because it would never match, and was resulting in no results from the query.
First, add the password column back into the results that your query returns - not the conditions, just the results. Right now, you only retrieve the username, so you have no chance of verifying a password. Get the password as well. You should also check whether the query returns any rows at all - if not, then the username did not match.
Once you have the password coming back out of the database (so change the query, add some debugging echo
statements to see that it is working, and only then) you can move on to fixing the password verification. If you look at the code, you call password_verify()
, but where does your $hash
variable come from? This needs to be the hashed password you retrieved from the database, yet it actually seems to not be defined anywhere. I’m puzzled as to why that gives a false positive, but you can’t expect it to work with an undefined variable in there.
Pseudo-code:
get username and password from form
run query to retrieve password from database for the supplied username
Any rows returned?
Yes: {
Verify the password from the form with the password from the database
Does it match?
Yes: Header redirect to members page
}
Error message, redraw login, your choice
I’m trying to tell you to show more lines from top to bottom so I can see what’s really going on. Right now, it makes no sense. log_errors
would probably break Apache
if it was left opened like that and all of those lines after it are all commented out. That’s why I need to see more lines to determine what you have.
there are two error logs as I can see…
I don’t know which is which??
Open up the php_error.log
file and post the last 3 lines in this topic.
Its blank
Then go back into php.ini
and post what I said before.
I have done that already as said…