PHP Unable to login because of checking hatched password

For more context, I’m following this youtube tutorial How To Create A Login System In PHP For Beginners | Procedural MySQLi | PHP Tutorial by Dani Krossing

Hi! I’m building a PHP website where a user/admin can sign-up and log-in, the sign-up form works fine, but once I type the username and the password into the login form and enter, it doesn’t read or find the password, it will echo “Incorrect password”.

The URL redirects to http://localhost:8080/EARIST/login.php?error=wronglogin.

This is the function that runs when the user has filled all the blanks:

function loginUser($conn, $username, $password) {
		$idExists = idExists($conn, $username, $username);
		
		if ($idExists === false) {
			header("location: ../EARIST/login.php?error=nousernameexists");
			exit();
		}
		
		$pwdHashed = $idExists["password"];
		$checkPwd = password_verify($password, $pwdHashed);
		
		if ($checkPwd === false){
			header("location: ../EARIST/login.php?error=wronglogin");
			exit();
		} else if ($checkPwd === true) {
			session_start();
			$_SESSION["id"] = $idExists["id"];
			$_SESSION["username"] = $idExists["username"];
			header("location: ../EARIST/EARIST.php");
			exit();
		}
	}

This is the function that checks the data inside the database:

function idExists($conn, $email, $username) {
		$sql = "SELECT * FROM login WHERE email = ? OR username = ?;";
		$stmt = mysqli_stmt_init($conn);
		if (!mysqli_stmt_prepare($stmt, $sql)) { 
			header("location: ../EARIST/signin.php?error=stmtfailed");
			exit(); 
		}
		
		mysqli_stmt_bind_param($stmt, "ss", $email, $username);
		mysqli_stmt_execute($stmt);
		
		$resultData = mysqli_stmt_get_result($stmt);
		
		if($row = mysqli_fetch_assoc($resultData)) {
			return $row;
		} else {
			$result = false;
			return $result;
		}
		mysqli_stmt_close($stmt);
	}

I know my explanation is very messy and I’m very sorry about that. I hope you can help me to figure it out. I’m new to this forum so I don’t know how to ask properly, I’m sorry and thank you.

Well, based on the result you get, it would seem that the password isnt matching.

How are passwords getting put INTO the database?

Thank you for replying!

This is where it starts: it checks first for empty spaces and then if it all returned NOT false it will go to the createUser function

if (isset($_POST["submit"])) {
	$email = $_POST["email"];
	$username = $_POST["username"];
	$password = $_POST["password"];
	$pwdrepeat = $_POST["pwdrepeat"];
	
	require_once 'dbhandler.php';
	require_once 'functions.php';
	
	if (emptyInputSignup($email,$username,$password,$pwdrepeat) !== false){
		header("location: ../EARIST/signin.php?error=emptyinput");
		exit();
	}
	if (invalidemail($email) !== false){
		header("location: ../EARIST/signin.php?error=invalidemail");
		exit();
	}
	if (invalidUid($username) !== false){
		header("location: ../EARIST/signin.php?error=invaliduid");
		exit();
	}
	if (pwdMatch($password, $pwdrepeat) !== false){
		header("location: ../EARIST/signin.php?error=pwdnotmatch");
		exit();
	}
	if (idExists($conn, $email, $username) !== false){
		header("location: ../EARIST/signin.php?error=usernametaken");
		exit();
	}
	
	createUser($conn, $email, $username, $password);
	
} else {
	header("location: ../EARIST/signin.php");
	exit();
}

This is the code for createUser function

function createUser($conn, $email, $username, $password) {
		$sql = "INSERT INTO login (email, username, password) VALUES (?, ?, ?);";
		$stmt = mysqli_stmt_init($conn);
		if (!mysqli_stmt_prepare($stmt, $sql)) {
			header("location: ../EARIST/signin.php?error=stmtfailed");
			exit();
		}
		
		$hashedPwd = password_hash($password, PASSWORD_DEFAULT);
		
		mysqli_stmt_bind_param($stmt, "sss", $email, $username, $hashedPwd);
		mysqli_stmt_execute($stmt);
		mysqli_stmt_close($stmt);
		
		header("location: ../EARIST/signin.php?error=none");
		exit();
	}

Is it correct that you call idExists() from loginUser() with $username twice, rather than passing the email as the definition suggests?

Is your password column long enough to store the hashed password?

Are the values you expect returned in the $idExists[] array?

1 Like

Yes, according to the tutorial, the reason is that I’m asking for either username OR email to when the user input either of the two so when it returns it will automatically fit into one of those two that I ask in the sql statement:

$sql = "SELECT * FROM login WHERE email = ? OR username = ?;";

My password column is set to varchar(25)…is that enough or should it be higher?

Yes, it is supposed to be an array.

No, I don’t think that’s anywhere near enough for a hashed password. You could always var_dump() the hash before you store it, to check. If it’s too short, the hash will be truncated.

ETA: If you check the doc, it recommends at least 60 characters, but 255 would be better for the default option you are using. PHP: password_hash - Manual

1 Like

OMG Thank you! I found the problem already! I should have set the length value higher! Thank you!

1 Like

Thank you! I have found the problem, It seems like I set the password length of the database too short.

OP, keep in mind, despite all the rave comments on the video, there are numerous poor, less than optimal coding practices being taught.

1 Like