Login system password and username

Question

I wrote php code for my signin.php file and my query works for my username but when i put in the password variable , it doesn't do anything. I want the user to put in a username and password because all they have to put in to get to the restricted page , is a username no password. It checks if the username is in the database table, if it is, it goes to the restricted page. I posted a question like this and i got good answers but i don't know where to put the information , This is my process.php :

<?php
include("db.php");

$username = $_POST['username'];
$pw = $_POST['StorePassword'];

if ( isset( $_POST['login'] ) ) {

 $query = mysqli_query($conn, "SELECT * FROM users WHERE username='".$username."' StorePassword='".$pw."' ");

 $StorePassword = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 8));

if ( mysqli_num_rows($query) > 0 ) {
    while ( $row = mysqli_fetch_assoc( $query ) ) {
        if ( $row['StorePassword'] == $pw ) { 
            header("Location: home.php"); 
        } else { 
            echo "Wrong password"; 
        }
    }
} else {
    echo "User not found <br />";
}

if(empty($pw)){
    echo"Please enter your password.";
 } else{

}

}
?>
<html>
<body>
<a href="signin.php">Please try again</a>
</body>
</html>

What happened with previous question? Why not update previous question? — chris85, Nov 01 '15 at 12:13
Becuase i don't know where to put the code the gave me . the second answer, i moved my code and put that code but that didn't work. Do you know what i can do — , Nov 01 '15 at 12:19
Okay, that answer doesn't really make sense so I guess we'll redo question. What is `$StorePassword = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 8));` doesn't seem to be used anywhere.. You are open to SQL injections. Can you be more specific than `doesn't do anything` does it load a blank page, say `please try again`, `wrong password`, `wrong username`, other? — chris85, Nov 01 '15 at 12:25
is the password in the database hashed? because i see you comparing it with the one gotten from the form instead of the one you hashed — danidee, Nov 01 '15 at 12:33
Then it should be `if ( $row['StorePassword'] == $StorePassword ) {` — danidee, Nov 01 '15 at 12:51

score 3 · Answer 1 · edited May 23 '17 at 11:59

Firstly you should use prepared statements for security.

Step 1: You want to check that the username and password have been entered:

if ( !isset($_POST['username'], $_POST['password']) ) {
    // Could not get the data that should have been sent.
    die ('You must enter a username and password!');
}

Step 2: Check the username against your database:

if ($stmt = $conn->prepare('SELECT password FROM users WHERE username = ?')) {
    // Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
    $username = $_POST['username']; 
    $stmt->bind_param('s', $username);
    if(!$stmt->execute()){
    trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
    } 
    $stmt->store_result();

Step 3: Check the password matches ( Php manual for password_verify ):

if ($stmt->num_rows > 0) {
        $stmt->bind_result($password);
        $stmt->fetch();      
        // Account exists, now we verify the password.
        if (password_verify($_POST['password'], $password)) {
            // Verification success! User has loggedin!
            header("Location: home.php"); 
        } else {
            echo 'Incorrect username and/or password!';
        }
    } else {
        echo 'User doesnt exist';
    }
    $stmt->close();

All together:

<?php
session_start();
include("db.php");
if ( !isset($_POST['username'], $_POST['password']) ) {
    // Could not get the data that should have been sent.
    die ('Username and/or password not set');
}
// Prepare our SQL 
if ($stmt = $mysqli->prepare('SELECT password FROM users WHERE username = ?')) {
    // Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
    $username = $_POST['username']; 
    $username = strtolower($username);
    $stmt->bind_param('s', $username);
    if(!$stmt->execute()){
    trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
    } 
    $stmt->store_result(); 
    // Store the result so we can check if the account exists in the database.
    if ($stmt->num_rows > 0) {
        $stmt->bind_result($password);
        $stmt->fetch();      
        // Account exists, now we verify the password.
        if (password_verify($_POST['password'], $password)) {
            // Verification success! User has loggedin!

             header("Location: home.php"); 
        } else {
            echo 'Incorrect username and/or password!';
        }
    } else {
        echo 'Incorrect username blar password!';
    }
    $stmt->close();
} else {
    echo 'Could not prepare statement!';
}
?>

Check out the php guide on prepared statements http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

Check out the articles I've referenced, test your code. What error messages you getting?@JasonSmith — , Nov 01 '15 at 12:48
( ! ) Notice: Undefined index: StorePassword in C:\wamp\www\interface\process.php on line 5 You must enter a username and password! — , Nov 01 '15 at 12:52
Okay remember you have your post variable as `'StorePassword'` — , Nov 01 '15 at 12:55
Yea. everything he put i put it in my code and it's not working . — , Nov 01 '15 at 13:04
What are the errors now? You need to test your code, debug it. Work your way round the errors, view the links I sent you @JasonSmith ( I just used the code I sent you and it works perfectly) — , Nov 01 '15 at 13:06
Any luck with your code @JasonSmith? let me know if you're getting any other errors. I'm here to help! :) — , Nov 02 '15 at 11:57

Login system password and username

1 Answers1