PHP login script not working

Hello Guys!

I am new to PHP coding. I watched a tutorial and I started to write a login scipt in PHP. I think I’ve done everything right but obviously not because something’s not right. When I try to log in, it says password or username is invalid, even tho it is! I’m gonna post the code below, I hope you can help me.

bejelentkezes.php is the login data process file btw.

index.php


<!DOCTYPE html>
<html lang="hu">
  <head>
    <META HTTP-EQUIV="Content-Type" Content="text/html; Charset="utf-8">
  <META HTTP-EQUIV="Content-Language" Content="hu">

    <title>Tartalomkezelő</title>
<link rel="stylesheet" href="/css/bootstrap.css">
    </head>
  <body>
    <div class="container">
        <h2>Bejelentkezés az admin menübe</h2>
<form class="" action="bejelentkezes.php" method="post">
<div class="form-group">
    <label for="username">Admin</label>
        <input type="text" name="username" id="username" class="form-control">
</div>

<div class="form-group">
    <label for="username">JelszĂł</label>
        <input type="password" name="password" id="password" class="form-control">
</div>

<div class="form-group">
        <input type="submit" class="btn btn-primary" value="Bejelentkezés">
</div>


</form>

  </body>
</html>


bejelentkezes.php

<?php
require_once("config.php");
require_once("functions.php");

$username = $_POST["username"];
$password = $_POST["password"];

$user = findUser("$username");

if(count($user) > 1){
   exit("Ez a felhasznalo mar letezik!");
  }

if(count($user) === 0  ||  !password_verify($password, $user[0]["password"])) {
exit("Helytelen felhasznalonev vagy jelszo!");
}

$user = $user[0];

if(loginUser($user)) {
  echo "Bejelentkezes sikeres!";

}


else {
echo "Bejelentkezes sikertelen!";


}
 ?>



functions.php


<?php
function findUser($username) {
   $connectionString = "mysql:dbname=".DATABASE_NAME.";host=localhost";

   $pdo = new PDO($connectionString, DATABASE_USERNAME, DATABASE_PASSWORD);

   $sql = "SELECT * FROM users WHERE username = :username";

   $statement = $pdo->prepare($sql);

   $executed = $statement->execute([
      ":username" => $username

   ]);

   if(!$executed) {
       print_r($statement->errorInfo());
       exit("Hiba tortent!");
   }

   $result = $statement->fetchAll();
    return $result;
}

function loginUser($user){
startSession();


$_SESSION["id"] = $user["id"];
$_SESSION["username"] = $user["username"];

return $_SESSION["username"]  && $_SESSION["id"];

}

function startSession() {
   if(session_status() == PHP_SESSION_NONE){
         session_start();
   }

}

 ?>








and the: config.php



<?php
define("DATABASE_NAME", "teszt89");
define("DATABASE_USERNAME", "root");
define("DATABASE_PASSWORD", "");

 ?>

the sql table is look like this:



CREATE TABLE IF NOT EXISTS `users` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `username` varchar(100) NOT NULL DEFAULT '',
  `password` varchar(255) NOT NULL DEFAULT '',
  `keresztnev` varchar(100) NOT NULL DEFAULT '',
  `vezeteknev` varchar(100) NOT NULL DEFAULT '',

  PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ;



INSERT INTO `users` (`id`, `username`, `password`, `keresztnev`, `vezeteknev`) VALUES
('1', 'admin', 'password', 'Mate', 'Komlosi');





When you create the new user record in your table, do you call password_hash to encrypt it, and just not show it here? It looks like you’ve stored the plain-text password in the database, but then compare what the user typed in using password_verify(), which requires a hashed password.

No. The tutorial mentioned it but it was not too specific about it. If it’s not too much to ask, can you show me how it is done? :slight_smile:

On the sign up script you would typically hash the password and store the hashed version in the database, it’s much more secure that way.

$hashed = password_hash($_POST['password'], PASSWORD_DEFAULT);

Then $hashed is the value you insert into the database, and subsequently check during log-in via the password_verify() function.

2 Likes

I see, thanks! Can you show me how it is look like in my code I posted above? Sorry, I am a beginner :confused:

This would be a change to the sign-up script, not the log-in script you posted.
The log-in is already checking for a hashed password, which it should be.

Okay, so if generate a hash code with this and I copy it into the users table ‘password’ section insted of a plan-text password then it should be working?

No, no, no!

Don’t use MD5, that’s old and not too secure.

Use the password_hash() function, like I showed above.
http://php.net/manual/en/function.password-hash.php

2 Likes

Okay, thanks for the help! :wink: It’ts working now.

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.