0

I'm new to PHP and am attempting to create a login system within a HTML website. I have created a staff database with StaffID and Password columns. When the incorrect details are entered, the page should reload the login page with the relevant error in the header and when the correct details are entered it should redirect to a new php page.

But when the correct details are entered, the page is reloaded as if the login details were incorrect with login=error in the header. I believe there may be a problem with the password verification but I am not sure. Can anyone help?

<?php
session_start();

if (isset($_POST['submit'])) {
    include 'dbh.php';

    $uid = $conn->real_escape_string($_POST['uid']);
    $pwd = $conn->real_escape_string($_POST['pwd']);

    //Error handlers
    //Check for input empty
    if (empty($uid) || empty($pwd)) {
        header("Location: ../Website/loginpage.html?login=empty");
        exit();
    } else {
        $sql = "SELECT * FROM staff WHERE StaffID='$uid'";
        $result = $conn->query($sql);
        $resultCheck = $result->num_rows;
        if ($resultCheck < 1) {
            header("Location: ../Website/loginpage.html?login=error");
            exit();
        } else {
            if ($row = $result->fetch_assoc()) {
                $PwdCheck = password_verify($pwd, $row['Password']);
                if ($PwdCheck == false) {
                    header("Location: ../Website/loginpage.html?login=error");
                    exit();
                } elseif ($PwdCheck == true) {
                    //Log in user here
                    $_SESSION['u_id'] =$row['StaffID'];
                    $_SESSION['u_name'] =$row['Name'];
                    $_SESSION['u_email'] =$row['Email_address'];
                    header("Location: ../Website/index2.php?login=success");
                    exit();
                }
            }   
        }
    }
} else {
    header("Location: ../Website/loginpage.html?login=error");
    exit();
}
?>



<form action="login.php" method="POST">
  <label>Username  :</label><input type="text" name="uid" placeholder="Username/e-mail" class="box"><br /><br />
  <label>Password  :</label><input type="password" name="pwd" placeholder="password" class="box"><br/><br />
  <button type="submit" name="submit" value="submit">Login</button><br />
</form>

My connection file dbh.php:

<?php
session_start();

$server = "localhost";
$username = "root";
$passwd = "";
$dbname = "custom pc central"; 

$conn = mysqli_connect($server, $username, $passwd, $dbname) or die    ('connection is not established'.mysqli_error($conn));

My table data:

Create table Staff
(StaffID varchar(100),
Password varchar(1000),
Name varchar(100),
Email_address varchar(1000),
constraint pk_StaffID primary key(StaffID)); 

insert into Staff values
('14567','123','james',
'james@custompccentral.co.uk');

insert into Staff values
('24567','123','alex',
'alex@custompccentral.co.uk');

insert into Staff values
('34567','123','kate',
'kate@custompccentral.co.uk');

insert into Staff values
('44567','123','megan',
'megan@custompccentral.co.uk');

insert into Staff values
('54567','123','syed',
'syed@custompccentral.co.uk');

insert into Staff values
('64567','123','akif',
'akif@custompccentral.co.uk');
Martin
  • 19,815
  • 6
  • 53
  • 104
ayy02
  • 1
  • 1
  • 3
    do not real_escape passwords when using password_verify. It might change the password! – Jeff Apr 18 '19 at 19:26
  • 1
    Please also show how you create the user with it's password, plus the table definition of `staff`. Chances are the field is too small for the password hash, or you don't hash it correctly when saving. – Jeff Apr 18 '19 at 19:27
  • there's also a typo at the top: `? – Jeff Apr 18 '19 at 19:30
  • @Jeff that typo made me chuckle `;-)` – Martin Apr 18 '19 at 19:31
  • @Martin the (currently) second answer in the dupe covers the reason *you* suspect on this one. There isn't enough information from OP to do more than guess as to the actual cause. – miken32 Apr 18 '19 at 19:42
  • You have un-hashed passwords in your database table ('123'), so password_verify won't work. You'd need to insert the rows via php and use [password_hash](https://php.net/manual/en/function.password-hash.php)! – Jeff Apr 18 '19 at 19:42
  • @Jeff very true, sorry I had misread that. – Martin Apr 18 '19 at 19:45
  • @Martin the OP added those sql inserts just now, so we couldn't know before. – Jeff Apr 18 '19 at 19:46
  • @Jeff I have also voted to close on the same reason. – Martin Apr 18 '19 at 19:49

1 Answers1

0

NEVER store passwords as plaintext in the database.

Because you are using password_verify only store the hashes of passwords, created using the password_hash PHP function.

$pwd = $conn->real_escape_string($_POST['pwd']);

You do NOT need to escape this value because you should never be putting this value in to an SQL query.

The way Password checking should be carried out is :

1) User supplies details; a username/identifier and a password/authenticator.

2) The code grabs the authenticator data from the row referenced by the unqiue identifier.

3) The code then compares the hashed user submitted authenticator against the already-hashed database-given authenticator.

4) The user supplied password used to log in should never touch the MySQL.

Because you are using object-oriented MySQL interaction in your PHP, it is highly suggested you use Parameterised Queries instead of Pseudo-Procedural queries in your Code

Community
  • 1
  • 1
Martin
  • 19,815
  • 6
  • 53
  • 104