0

my login form look like this:

<form class="form-signin" method="post" id="login-form">
            <div id="img_container" class="imgcontainer">
                <img src="../images/img_avatar2.png" alt="Avatar" class="avatar">
            </div>
             <?php
  if(isset($msg)){
   echo $msg;
  }
  ?>
                <div id="container" class="container">
                    <label><b>Navn</b></label>
                        <input type="text" placeholder="Enter E-mail" name="email" required>

                    <label><b>Password</b></label>
                        <input type="password" placeholder="Enter Password" name="psw" required>

                    <button type="submit" name="btn-login" id="btn-login">Login!</button>
                    <input type="checkbox" checked="checked"> Rember me
                    <span class="psw"><a href="#">Forgot your passowrd?</a></span>
                </div>
            </form>

and my connection to the database look like this:

<?php
session_start();
require_once '../db/dbconnect.php';


if (isset($_POST['btn-login'])) {

 $email = strip_tags($_POST['email']);
 $password = strip_tags($_POST['psw']);

 $email = $DBcon->real_escape_string($email);
 $password = $DBcon->real_escape_string($password);

 $query = $DBcon->query("SELECT user_id, email, psw FROM Users WHERE email='$email'");
 $row=$query->fetch_array();

 $count = $query->num_rows; // if email/password are correct returns must be 1 row

 if (password_verify($password, $row['psw']) && $count==1) {
  $_SESSION['userSession'] = $row['user_id'];
  header("Location: student.php");
 } else {
  $msg = "<div class='alert alert-danger'>
     <span class='glyphicon glyphicon-info-sign'></span> &nbsp; Invalid E-mail or Password !
    </div>";
 }
 $DBcon->close();
}
?>

My connection to the database is fine, but the error "Invalid E-mail or Password !" keeps appearing, but i have testet what the input is the right data.

is it because my password in the database hashed? or do i just have a stupid mistake?

EDIT 1:

This is what i do before the hashing of the password under user creation. I this works fine, i dont have any error in making the user, it is under the login the error is appearing

 $uname = strip_tags($_POST['uname']);
 $upass = strip_tags($_POST['psw']);
 $phone = strip_tags($_POST['mobil']);
 $email = strip_tags($_POST['email']);
 $lat = strip_tags($_POST['lat']);
 $long = strip_tags($_POST['long']);
 $role = strip_tags($_POST['role']);

 $uname = $DBcon->real_escape_string($uname);
 $upass = $DBcon->real_escape_string($upass);
 $phone = $DBcon->real_escape_string($phone);
 $email = $DBcon->real_escape_string($email);
 $lat = $DBcon->real_escape_string($lat);
 $long = $DBcon->real_escape_string($long);
 $role = $DBcon->real_escape_string($role);
Marc Cummings
  • 53
  • 8
  • 1
    You are open for **mysql injection**! You need to use `prepared statements`, `real_escape_string()` is not sufficient. – Nytrix Jan 23 '17 at 22:04
  • Well I am sure it is because your password is hashed at least I hope so! Do you know the hash method used to save password originally? – chop62 Jan 23 '17 at 22:06
  • 2
    Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 23 '17 at 22:10
  • my hash method is: $hashed_password = password_hash($upass, PASSWORD_DEFAULT); – Marc Cummings Jan 23 '17 at 22:13
  • Are you cleansing the password the same way that you're doing here, before you hash it? YOu're running through `strip_tags()` and `real_escape_string()` before you verify. If you're not doing that before you hash and store the passwords will never match. – Jay Blanchard Jan 23 '17 at 22:14
  • It is stored in column 'psw' @chop62 – Jay Blanchard Jan 23 '17 at 22:21
  • @chop62 it is saved as $hashed_password under the column 'psw' – Marc Cummings Jan 23 '17 at 22:24
  • Can you show us what you do before you hash the password? – Jay Blanchard Jan 23 '17 at 22:26
  • @JayBlanchard i dont cleansing the password? i just take it from the post to the real_escape_string() to the database – Marc Cummings Jan 23 '17 at 22:26
  • That ***is*** cleansing the password. You also `strip_tags()` – Jay Blanchard Jan 23 '17 at 22:27
  • From your script, the user will only be logged in when the two conditions, thus password_verify() and $count = 1 both succeeds. If paword_verify() works and $count != 1, the condition will not be met. So check to make sure only 1 row is always returned. Your table should contain unique emails. – ultrasamad Jan 23 '17 at 22:29
  • @JayBlanchard so what do i need to chance? do i need to just remove the real_escape_string() – Marc Cummings Jan 23 '17 at 22:32
  • Is the column in your database that holds the password at least 60 characters wide? – Jay Blanchard Jan 23 '17 at 22:33
  • @ultrasamad my table is containing unique emails – Marc Cummings Jan 23 '17 at 22:33
  • Remove `strip_tags()` and `real_escape_string()` from your passwords – Jay Blanchard Jan 23 '17 at 22:33
  • Can you show us your table creation SQL? – Jay Blanchard Jan 23 '17 at 22:34
  • [You should read all of this](http://jayblanchard.net/proper_password_hashing_with_PHP.html) *" The password_hash() can generate some very lengthy text (the current default is 60 characters), so making the field larger now will allow for the length needed. Secondly the PHP team is adding more algorithms to the method which means the hash can and will grow. We also do not want to limit our user's ability to use the password or passphrase of their choice. It's best to leave room for the changes"* – Jay Blanchard Jan 23 '17 at 22:35
  • @JayBlanchard you just saved my day!! thanks that was it!! it was not 60 characters wide... – Marc Cummings Jan 23 '17 at 22:36
  • Glad to help! I'll add it as an answer. – Jay Blanchard Jan 23 '17 at 22:36

2 Answers2

0

From Proper Password Preparation with PHP

The password_hash() function can generate some very lengthy text (the current default is 60 characters), so making the field as large as possible now will allow for the length needed. Secondly the PHP team is adding more algorithms to the method which means the hash can and will grow. We also do not want to limit our user's ability to use the password or passphrase of their choice. It's best to leave room for the changes.

In addition: Make sure you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
0

Take a look at the following code.

session_start();
require_once '../db/dbconnect.php'; //Am assuming u are using PDO

if (isset($_POST['btn-login'])) {

    $email = strip_tags($_POST['email']);
    $password = $_POST['password'];

    $query = "SELECT user_id, email, psw, FROM Users WHERE email = :email";
    $queryStat = $DBcon->prepare($query);

    $queryStat->execute(['email'=>$email]);

    $row = $queryStat->fetch(PDO::FETCH_ASSOC);

    $encryptedPassword = $row['psw'];

    if (password_verify($password, $encryptedPassword)) { //No need for row count
        $_SESSION['userSession'] = $row['user_id'];
        header('Location: student.php');
    }else{
        $msg = "<div class='alert alert-danger'>
        <span class='glyphicon glyphicon-info-sign'></span> &nbsp; Invalid E-mail or Password !
        </div>";
    }
}
ultrasamad
  • 368
  • 4
  • 16