Matching password to username using PHP and TSQL

I am trying to match password to username, and my site is telling me incorrect password…

<?php
#password login
if (isset($_POST["passwordinput"])) {
$password = $_POST["passwordinput"];
$password = trim($password);
if (empty($password)) {echo "Please enter your Password"; return false;};
$tsql = "SELECT password FROM idbtable WHERE username = '$username'";
$stmt = sqlsrv_query($conn,$tsql);
$pwmatch = sqlsrv_fetch_array($stmt, SQLSRV_FETCH_ASSOC);
$pwmatch = $pwmatch['password'];
if ($pwmatch == $password) {echo "You Are Loggin In";}}

?>

First off, you should NEVER store plaintext passwords.

Where does $username magically come from?

You need to use Prepared Statements. Never put variables in your query.

3 Likes

$username stores the user’s username from another form, but I made sure that it carries into this code block.

Nothing in your posted code says anything about “Incorrect password” - where is that section? What is in $password and $pwmatch, when you display them for debugging purposes?

$password is from a form input, and $pwmatch stores the array for fetching results. Where I think my mistake is, is the sql statement I am using - does anything look wrong there? I think everything else is working and I can’t pull [‘password’] from the array.

I’m not familiar with sqlsrv as I use PDO, but I think using fetch array and fetch assoc would seem unnecessary here, as you only want a single column from a single row.
If you var_dump($pwmatch) you will get an idea of the structure of the array and can then work out how to access the part you need.

Working or not, I’m afraid there is quite a bit wrong with what you are doing here, @benanamen mentions a few of the issues.

1 Like

It does, but on the next line you overwrite it with a single column from the result. What is in the array, when you display it before you overwrite it?

What is in $stmt? If it’s false, that means your query didn’t execute, otherwise it did. That doesn’t mean it found any results, just that it executed without error. What happens if you execute the same query directly in SQL Server Management?

1 Like

Thanks for all the help. I found that my code was right and that the $username variable had no value in it, so nothing could happen. I use a cookie to keep the variable $username instantiated and everything works!

It’s very easy to create a cookie. So if a username in a cookie is all that’s needed to have me logged in to your site that’s way too insecure. You should be using proper sessions instead.

On top of everything else that was already said above.

1 Like

Please don’t ignore the comment above about not storing passwords in plain text, and about using prepared statements. If this is new code, it’s best to start it off using good practice before you’ve got a mountain of code and changing it is too much work.

2 Likes

Yes, working and right are not the same thing.

Lets do a bet:

Next time he is posting something in the forum is when he get hacked :slight_smile:

Hopefully the OP will take the suggestions on board.