PHP Unable to login because of checking hatched password

min · January 5, 2021, 10:46am

For more context, I’m following this youtube tutorial How To Create A Login System In PHP For Beginners | Procedural MySQLi | PHP Tutorial by Dani Krossing

Hi! I’m building a PHP website where a user/admin can sign-up and log-in, the sign-up form works fine, but once I type the username and the password into the login form and enter, it doesn’t read or find the password, it will echo “Incorrect password”.

The URL redirects to http://localhost:8080/EARIST/login.php?error=wronglogin.

This is the function that runs when the user has filled all the blanks:

function loginUser($conn, $username, $password) {
		$idExists = idExists($conn, $username, $username);
		
		if ($idExists === false) {
			header("location: ../EARIST/login.php?error=nousernameexists");
			exit();
		}
		
		$pwdHashed = $idExists["password"];
		$checkPwd = password_verify($password, $pwdHashed);
		
		if ($checkPwd === false){
			header("location: ../EARIST/login.php?error=wronglogin");
			exit();
		} else if ($checkPwd === true) {
			session_start();
			$_SESSION["id"] = $idExists["id"];
			$_SESSION["username"] = $idExists["username"];
			header("location: ../EARIST/EARIST.php");
			exit();
		}
	}

This is the function that checks the data inside the database:

function idExists($conn, $email, $username) {
		$sql = "SELECT * FROM login WHERE email = ? OR username = ?;";
		$stmt = mysqli_stmt_init($conn);
		if (!mysqli_stmt_prepare($stmt, $sql)) { 
			header("location: ../EARIST/signin.php?error=stmtfailed");
			exit(); 
		}
		
		mysqli_stmt_bind_param($stmt, "ss", $email, $username);
		mysqli_stmt_execute($stmt);
		
		$resultData = mysqli_stmt_get_result($stmt);
		
		if($row = mysqli_fetch_assoc($resultData)) {
			return $row;
		} else {
			$result = false;
			return $result;
		}
		mysqli_stmt_close($stmt);
	}

I know my explanation is very messy and I’m very sorry about that. I hope you can help me to figure it out. I’m new to this forum so I don’t know how to ask properly, I’m sorry and thank you.

m_hutley · January 5, 2021, 11:41am

Well, based on the result you get, it would seem that the password isnt matching.

How are passwords getting put INTO the database?

min · January 5, 2021, 11:57am

Thank you for replying!

This is where it starts: it checks first for empty spaces and then if it all returned NOT false it will go to the createUser function

if (isset($_POST["submit"])) {
	$email = $_POST["email"];
	$username = $_POST["username"];
	$password = $_POST["password"];
	$pwdrepeat = $_POST["pwdrepeat"];
	
	require_once 'dbhandler.php';
	require_once 'functions.php';
	
	if (emptyInputSignup($email,$username,$password,$pwdrepeat) !== false){
		header("location: ../EARIST/signin.php?error=emptyinput");
		exit();
	}
	if (invalidemail($email) !== false){
		header("location: ../EARIST/signin.php?error=invalidemail");
		exit();
	}
	if (invalidUid($username) !== false){
		header("location: ../EARIST/signin.php?error=invaliduid");
		exit();
	}
	if (pwdMatch($password, $pwdrepeat) !== false){
		header("location: ../EARIST/signin.php?error=pwdnotmatch");
		exit();
	}
	if (idExists($conn, $email, $username) !== false){
		header("location: ../EARIST/signin.php?error=usernametaken");
		exit();
	}
	
	createUser($conn, $email, $username, $password);
	
} else {
	header("location: ../EARIST/signin.php");
	exit();
}

This is the code for createUser function

function createUser($conn, $email, $username, $password) {
		$sql = "INSERT INTO login (email, username, password) VALUES (?, ?, ?);";
		$stmt = mysqli_stmt_init($conn);
		if (!mysqli_stmt_prepare($stmt, $sql)) {
			header("location: ../EARIST/signin.php?error=stmtfailed");
			exit();
		}
		
		$hashedPwd = password_hash($password, PASSWORD_DEFAULT);
		
		mysqli_stmt_bind_param($stmt, "sss", $email, $username, $hashedPwd);
		mysqli_stmt_execute($stmt);
		mysqli_stmt_close($stmt);
		
		header("location: ../EARIST/signin.php?error=none");
		exit();
	}

droopsnoot · January 5, 2021, 12:10pm

Is it correct that you call idExists() from loginUser() with $username twice, rather than passing the email as the definition suggests?

Is your password column long enough to store the hashed password?

Are the values you expect returned in the $idExists[] array?

min · January 5, 2021, 12:51pm

Yes, according to the tutorial, the reason is that I’m asking for either username OR email to when the user input either of the two so when it returns it will automatically fit into one of those two that I ask in the sql statement:

$sql = "SELECT * FROM login WHERE email = ? OR username = ?;";

My password column is set to varchar(25)…is that enough or should it be higher?

Yes, it is supposed to be an array.

droopsnoot · January 5, 2021, 12:55pm

No, I don’t think that’s anywhere near enough for a hashed password. You could always var_dump() the hash before you store it, to check. If it’s too short, the hash will be truncated.

ETA: If you check the doc, it recommends at least 60 characters, but 255 would be better for the default option you are using. PHP: password_hash - Manual

min · January 5, 2021, 12:55pm

OMG Thank you! I found the problem already! I should have set the length value higher! Thank you!

min · January 5, 2021, 12:56pm

Thank you! I have found the problem, It seems like I set the password length of the database too short.

benanamen · January 5, 2021, 5:14pm

OP, keep in mind, despite all the rave comments on the video, there are numerous poor, less than optimal coding practices being taught.