Login Verification

include(‘Connection.php’);
$conn1= new Connection();
$conn= $conn1->connection();
$username=isset($_POST[‘username’]);
$pass=isset($_POST[‘pass’]);
usernameCheck($username);
function usernameCheck($username) {
global $conn;
$stmt = $conn->prepare(“SELECT pass FROM users1 WHERE username=:username”);
$stmt->bindParam(’:username’,$username);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
$hashpass=$stmt->fetchColumn(1);
global $pass;
if(password_verify($pass, $hashpass)){
echo “Valid User”;
}
else{
echo “Not Valid User”;
}
}

Not understanding how i can verify password for the corresponding entered username.i have used password_hash to encrypt the password with cost and random salt. please help me to findout where is the wrong i am doing

Well, I reworked your script and did the best that I could. I can’t guarantee that it will work, but it should be close if it doesn’t. I commented the script pretty thoroughly and if I have any blaring errors it is because I’m not feeling so hot. :frowning: ;D

Here’s the rework:
[php]<?php
include(‘Connection.php’);
/* You connection string didn’t look right, so I changed it a little bit. /
/
I also would put this in the include(‘Connection.php’); file /
$db_options = array(
/
important! use actual prepared statements (default: emulate prepared statements) /
PDO::ATTR_EMULATE_PREPARES => false
/
throw exceptions on errors (default: stay silent) /
, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
/
fetch associative arrays (default: mixed arrays) */
, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);

$conn = new PDO(‘mysql:host=localhost;dbname=demo_login_system;charset=utf8’, ‘root’, ‘your_password’, $db_options);

$username = filter_input(INPUT_POST, ‘username’, FILTER_SANITIZE_SPECIAL_CHARS);
$pass = filter_input(INPUT_POST, ‘pass’, FILTER_SANITIZE_SPECIAL_CHARS);

function usernameCheck($conn, $username, $pass ) {
/* Get Rid of global $conn & $pass variables /
/
Pass them through the Function /
/
The query setups the user’s information to be retrieved /
$query = “SELECT username, pass FROM users1 WHERE username=:username”;
/
The parameter values */
$query_params = array(’:username’ => $username);

/* Retrive the username */
try {
	/* Execute the query against the database table */
	$stmt = $conn->prepare( $query );
	$result = $stmt->execute($query_params);
} catch(PDOException $ex) {
	/* On a production website, you shouldn't output Error */
	die('Failed to run query' . $ex->getMessage());
}

/* Setting up variable to check if user has logged in correctly */
$login_ok = false;

/* Retrieve user's data from database */
$row = $stmt->fetch();

/* If row is retrieved then we know he/she has credientials */
if ($row) {
	/* Verify Stored Password against User's entry */
	$result = password_verify($pass, $row['pass']);
	if ($result) {
		$login_ok = true;
	} else {
		$errMsg = "Invalid Credientials!!!";
	}
}

/* If password matches */
if ($login_ok) {
	/* It's not wise to store the password in $_SESSION */
	unset($row['pass']);
	
	/* This also should go in Connection.php file */
	start_session();
	
	/* Store user's info in $_SESSION */
	$_SESSION['user'] = $row;
	
	/* Successfull login, redirect user to maybe a members-only page? */
	header("Location: members.php");
	exit();
} 

return "Login Failed";

}

echo $message = usernameCheck($conn, $username, $pass);[/php]

Thank you very much. but its not working for me. it always showing “Login Failed” even i am entering correct username and password.
Not sure what is the problem. Code seems ok. :frowning:

It more that likely how your password is being stored, what I mean by that is it might be stored too short.

Check out http://us1.php.net/manual/en/function.password-hash.php

http://us1.php.net/manual/en/function.password-verify.php

and double check to see if you have errors turn on

Put this on top of your script:
[php]ini_set(‘display_errors’,1);
error_reporting(E_ALL);[/php]

You might be getting errors that you don’t know about.

Yes, i checked all those things. No error is coming.
My password field is 256 [varchar]…
As an example … suppose my password is “Welcome@123” and it has been stored as ‘$2y$12$uLTIkhPQ3gkiIcIg9w0mw.GbIEkvA6n9zhjNpg/c50pF7jN2i1sWO’

<?php // Even this is also not working. May be i am using random salt,this could be the reason. $pass='Welcome@123'; $hash = '$2y$12$uLTIkhPQ3gkiIcIg9w0mw.GbIEkvA6n9zhjNpg/c50pF7jN2i1sWO'; if (password_verify($pass, $hash)) { echo 'Password is valid!'; } else { echo 'Invalid password.'; } ?> <? //This is for my password hasing algo. $options = [ 'cost' => 12, 'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), ]; $pass= password_hash($_POST['pass'], PASSWORD_BCRYPT,$options); please let me know if this is not an issue.

I’m no password expert, for this is all I do for storing the password ->

[php]$password = password_hash($password, PASSWORD_BCRYPT, array(“cost” => 15));[/php]

I figure if someone can crack that then they are either

  1. Extremely Smart
    or I’m
  2. Extremely stupid in having a security vulnerability. ;D

You don’t have to put in a random salt for that is the nice thing, this is a quote from password_hash php.net - “This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.”

I was thinking that the following might help, this is the script I’m currently using for my own website:
[php]if (isset($_POST[‘action’]) && $_POST[‘action’] == ‘register’) {

$userType = ‘public’;
$username = $_POST[‘username’];
$realname = $_POST[‘realname’];
$email = $_POST[‘email’];
$imagePath = ‘lib/upload/img-blank.jpg’;
$password = password_hash($_POST[‘password’], PASSWORD_BCRYPT, array(“cost” => 15));

$query = ‘INSERT INTO users (userType, username, realname, email, password, imagePath, dateAdded) VALUES (:userType, :username, :realname, :email, :password, :imagePath, NOW())’;
$stmt = $pdo->prepare($query);

try {
$stmt->execute(array(’:userType’ => $userType, ‘:username’ => $username, ‘:realname’ => $realname, ‘:email’ => $email, ‘:password’ => $password, ‘:imagePath’ => $imagePath));

header('Location:index.php');
exit();

} catch (PDOException $error) {
if (substr($error->getCode(), 0, 2) == SQL_CONSTRAINT_VIOLATION) {
echo http_response_code();
} else {
throw $error; // some other error happened; just pass it on.
}
}
}[/php]

I just realize I don’t practice what I preach, I’m going to have to comment the error messages out or log them to a folder…oops me bad. :smiley:

Sponsor our Newsletter | Privacy Policy | Terms of Service