Where is the error in this PHP login code with PDO?

Question

This is a login script that I wrote. I used crypt() for storing hashed passwords.

<?php

$db = new mysqli ('localhost','bla','bla','bla');
if(isset($_POST['submit_form'])){

$username = $_POST['username'];
$password = $_POST['password'];
$username2 = mysqli_real_escape_string($db, $_POST['username']);
$sql = "SELECT * FROM users WHERE username=:username";
$stmt = $db->prepare($sql);
$stmt->bindValue(':username',$username,PDO::PARAM_STR);

if($stmt->execute())
{
    if($stmt->rowCount() == 1)
    {
        $row = $stmt->fetch(PDO::FETCH_ASSOC);

     if (crypt($password, $row['pass']) === $row['pass'])
        {

            session_start();
            $_SESSION['user'] = $username2;
            $_SESSION['notification'] = 'blabla';
            header('location:/someplace');

        }
        else
        {
              session_start();
              $_SESSION['not'] = 'wrong';
              header('location:/someplace');  
        }
    }
    else
    {
          session_start();
          $_SESSION['not'] = 'wrong';
          header('location:/someplace');  
    }
}
}
else {

    header('location:/ss');
}

?>

I'm trying to resolve the problem for a long time. But it is not yielding any result. Searched through many answers, tried 5-6 different methods. Still not working. I'm using PDO for the first time. Before this, I was using only mysqli_real_escape_string() and it was working fine.

If you're using PDO, you need to use ALL PDO. You can't mix mysqli and PDO stuff like that. — Don't Panic, Dec 22 '15 at 20:39
Also, please consider using `password_hash` instead of `crypt`. — Don't Panic, Dec 22 '15 at 20:40
Can you please elaborate? Would I have to use that in the database connection, too? — sofa_maniac, Dec 22 '15 at 20:42
Yes. `new PDO(...` instead of `new mysqi(...`. And if you are using prepared statements and binding your parameters, you don't need the `mysqli_real_escape_string` anymore. — Don't Panic, Dec 22 '15 at 20:44
What error msg are you getting , try using `$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);` to see error you are getting — Jimmy Obonyo Abor, Dec 22 '15 at 20:45
@jimmyobonyo I don't think that will help as `$dbh` is a `mysqli` object. — Don't Panic, Dec 22 '15 at 20:46
@Don'tPanic i see that the question using `mysqli_real_escape_string` so use `$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);` to get `msqli` error — Jimmy Obonyo Abor, Dec 22 '15 at 20:48
try changing `$db = new mysqli ('localhost','bla','bla','bla');` to something like `$db = new PDO("dbtype:host=yourhost;dbname=yourdbname;charset=utf8","username","password");` — Jimmy Obonyo Abor, Dec 22 '15 at 20:52
[Proper Password Preparation with PHP](http://jayblanchard.net/proper_password_hashing_with_PHP.html) — Jay Blanchard, Dec 22 '15 at 20:56
I did that. It's working without having to change anything else. Thank you. — sofa_maniac, Dec 22 '15 at 20:56

Where is the error in this PHP login code with PDO?

0 Answers0