0

I'm trying to make a login system (already have registration system complete) with password_hash() and password_verify() but it isn't working for me. I've been trying to find an answer this whole morning and yet can't seem to make it work, I've watched codecourse tutorials, read blog posts and nothing. The tutorial I've been following the most is this one.

<!-- login -->
<?php
if($_SERVER['REQUEST_METHOD'] == "POST") {
    $errors = array();
    error_reporting(E_ALL); 
    ini_set('display_errors', 1);

    //Basic validation
    if(empty($_POST['username'])){
        $errors[] = "Please enter your username";
        }else{
        $username = $mysqli->real_escape_string($_POST['username']);
        }

            if(empty($_POST['password'])){
            $errors[] = "Please enter your password";
            }else{
            $password = trim($_POST['password']);
            }

            if (empty($errors)) {
            $sql = "SELECT * FROM users WHERE username = '$username'";
            $result = $mysqli->query($sql);
            if ($result->num_rows === 1) {
            $row = $result->fetch_array(MYSQLI_ASSOC);
            if(password_verify($password, $row['password'])) {
                echo 'test';
            $_SESSION['user']['user_id'] = $row['user'];
            header("Location: google.com");
            exit();
            }else{
            $errors[] = "The username or password do not match";
            }
            }else{
            $errors[] = "The username or password do not match";
            }
        }
}
?>

<!-- register -->
<?php
    if($_SERVER['REQUEST_METHOD'] == "POST") {
        $username = mysqli_real_escape_string($conn, $_POST['username']);
        $password = $_POST['password'];
        $hashed_password = password_hash($password, PASSWORD_DEFAULT);
        $confirm_password = mysqli_real_escape_string($conn, $password);
        $ip = $_SERVER['REMOTE_ADDR'];

        if(empty($username) || empty($password) || empty($confirm_password)) {
            $error = "Fill in the missing fields";
        } else {
            $sql = "INSERT INTO users VALUES('', '$username', '$hashed_password', '$ip', 'User')";
            if($conn->query($sql) === TRUE) {
                $error = "Your account has been created.";
            } else {
            $error = "Your account has not been created, please try again later.";  
        } 
    }
}
?>

The end result product is supposed to login in successfully and redirect, I'm using PHP 5.6 and running on localhost XAMPP.

varProjects
  • 31
  • 6
  • 2
    are you missing a closing curly bracket? i see 10 open and 9 closing. Do you have access to your error logs and/or can you post your errors? – Louis Loudog Trottier Feb 27 '17 at 20:26
  • 1
    Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 27 '17 at 20:30
  • Show us how your stored the password. – Jay Blanchard Feb 27 '17 at 20:31
  • 1
    What do you mean by, "but it isn't working"? – Jay Blanchard Feb 27 '17 at 20:31
  • @JayBlanchard I showed the register POST and it keeps redirecting me to the login page when it should be going to the dashboard.php – varProjects Feb 27 '17 at 20:42
  • This is why I say not to cleanse passwords. You'll never get a match because you're using `$password =mysqli_real_escape_string($conn, $_POST['password']);` to store the password and then not using it on verification. Instead you use `$password = trim($_POST['password']);`. please read the post in my comment above and follow that guidance. – Jay Blanchard Feb 27 '17 at 20:49
  • 1
    In addition, make sure the password column in your database is at least 60 characters wide in order to store the full hash coming from the `password_hash()` code. – Jay Blanchard Feb 27 '17 at 20:51
  • 1
    that's what happens to many who do not follow tutorials "to a T". – Funk Forty Niner Feb 27 '17 at 20:55
  • `$password =mysqli_real_escape_string($conn, $_POST['password']); $hashed_password = password_hash($password, PASSWORD_DEFAULT); $confirm_password = mysqli_real_escape_string($conn, $password);` you shouldn't do that and you should read that tutorial again and stick to it, and not modify it in any way; that should work. – Funk Forty Niner Feb 27 '17 at 21:10
  • where's the HTML form for this anyway? – Funk Forty Niner Feb 27 '17 at 21:10
  • @Fred-ii- I edited the post, there it is. – varProjects Feb 27 '17 at 21:17
  • nowhere do I see the opening `
    ` and all I saw were 2x `
    ` tags. I take it that you're either trying to use 2 forms or embedding forms.     – Funk Forty Niner Feb 27 '17 at 21:18
  • @Fred-ii- I'm sorry, I've showed it full now. Php code and forms. – varProjects Feb 27 '17 at 21:23
  • Were you able to get this figured out? All of the comments were deleted for some reason. – Jay Blanchard Feb 28 '17 at 13:39
  • @JayBlanchard No, but I'm working on it again. I restarted and actually noticing what I'm typing. Thank you for everything, you're a great guy. – varProjects Feb 28 '17 at 21:55
  • Glad to be of help @PunishSulky! – Jay Blanchard Feb 28 '17 at 22:00

1 Answers1

0

You'll never get a match because you're using 

 $password =mysqli_real_escape_string($conn, $_POST['password']);

to store the password and then not using it on verification. Instead you use 

$password = trim($_POST['password']);

Make sure you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. The password_hash() function can generate some very lengthy text (the current default is 60 characters), so make sure the field in your database is large enough to accommodate the hash. Setting the field larger now will allow for the length needed. The PHP team is adding more algorithms to the method which means the hash can and will grow.

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119