Click here to Skip to main content
15,867,568 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
I have had this problem that I have been trying to solve for days now and it's getting to the point where I am getting extremely frustrated so I had no choice but to ask for help.

I've been trying to create a login feature for what feels like a decade now, with only limited success. I've managed to create a functional registration system but the login feature is really bugging me. I've even resorted to literally copying someone's code on YouTube and yet, it still isn't working. Every time I try to log in, it just states 'Wrong username or password' which is the error message I set for, well, when the username or password has been entered incorrectly. The thing is, I am not entering the username or password incorrectly. They are correct, and it is registered on my database, so I have no clue on what the issue may be.

What I have tried:

Here is the (php) code for login.php:

<?php 
     
    session_start(); 
    require "functions.php"; 
    require "db_conn.php"; 
     
    if(isset($_POST['submit'])){ 
     
        $response = loginUser($_POST['username'], $_POST['password']); 
     
    } 
 
?>
 
and here is the code for the functions.php (specifically the login code):

function loginUser($username, $password){ 
         
        $mysqli = connect(); 
        $username = trim($username); 
        $password = trim($password); 
         
        if($username == "" || $password == ""){ 
            return "Both fields are required"; 
        } 
         
        $username = filter_var($username, FILTER_SANITIZE_STRING); 
        $password = filter_var($password, FILTER_SANITIZE_STRING); 
         
        $sql = "SELECT username, password FROM users WHERE username = ?"; 
        $stmt = $mysqli->prepare($sql); 
        $stmt->bind_param("s", $username); 
        $stmt->execute(); 
        $result = $stmt->get_result(); 
        $data = $result->fetch_assoc(); 
         
        if($data == NULL){ 
            return "Wrong username or password"; 
        } 
         
        if(password_verify($password, $data['password']) == FALSE) { 
            return "Wrong username or password"; 
        }else{ 
            $_SESSION['user'] = $username; 
            header("location: registerredirect.php"); 
            exit(); 
        } 
         
    }

and here is my code for the login form:

<div class="wrapper1"> 
        <h1>Login to your Account</h1> 
        <form action="" method="post"> 
            <p class="error"><?php echo @$response; ?></p> 
            <input type="text" placeholder="Username*" name="username" value="<?php echo @$_POST['username']; ?>" required> 
            <input type="password" minlength="6" maxlength="21" placeholder="Password*" name="password" value="<?php echo @$_POST['password']; ?>" required> 
            <input type="submit" id="highlight" name="submit" value="Login"> 
            <div class="member"> 
                Haven't got an account yet? Click <a href="user_registration.php" class="hover-underline-animation">here!</a></li> 
        </div> 
    </form> 
</div>


Can you please point out where I must've gone wrong, why I must've gone wrong and how to avoid the mistake in the future please? I would like as much info on it as possible, I am not just asking for someone to 'do my homework', I genuinely want to know why I have gone wrong as well as where I have gone wrong. Thank you so much for any help, it is greatly appreciated!

I have tried changing "if(password_verify($password, $data['password']) == FALSE) {" to "if(!password_verify($password, $hash) {" which I THOUGHT had worked at first, but it turned out that it was accepting any random password.

This is starting to make me feel like giving up. I have been at it for days and it is getting seriously on my nerves. If it is seriously this complicated just to get it to verify the password, I can't even imagine what creating the backend for the rest of the website is going to be like. Can someone please help me here? I tried asking on Quora, that site is useless, I still have no answer to the question. I tried stack overflow but the people on there are rude as hell and decided to close my question without even bothering to help. Reddit is off the table because of the dumb karma system and overly present mob mentality of their users which caused me to receive such bad karma (for literally no reason other than they disagreed with my opinion) that I cannot post anything on there. I have tried researching for the last couple days but cannot find any solution.
Posted
Updated 8-Mar-23 2:13am
Comments
Member 15627495 8-Mar-23 1:43am    
Hello !

- sanitize [ filter_var() ] all $var --> before all ! the rights 'input' for all next coming instructions. !!
- prefer '!empty($var)' [ if not 'empty' ] instead of 'isset($var)' , to check both if the $var is set , and if $var have a value.
- use 'require_once' , not 'require', it makes the resource loaded 1 time, instead of more ( for nothing )
- exit() now needs 'true' or 'false' as parameter for current 'php' version : exit(1);/exit(true);/exit(0);/exit(false);


one question : Is the page return 500, or you have an error message ?
Richard MacCutchan 8-Mar-23 3:35am    
Did you use PHP: password_hash - Manual[^] on the password before storing it in the database?

We can't tell - we don't have any access to your data, and that is probably significant.

So it's going to be up to you. Start with the documentation: PHP: password_verify - Manual[^] which says that the second parameter is a hashed value created by the password_hash function - so look at what the actual data returned from your DB looks like to see if it is in any way comprehensible. If it isn't, that's probably a good thing! :D
If it is the user password, then your registration system is the problem and you need to store a hashed value instead of straight text - so go look at how that works.

If it is incomprehensible, then use the password_hash function exactly as you did in your registration code on the newly entered password and see if the results match visually.

Sorry, but we can't help you with this - we have no access to your DB, to your registration code, or any idea what data the $_POST is supplying to your code!
 
Share this answer
 
I do feel like an idiot now. Turns out, it was DB problem. Password was set to 50 but minimum for hash is 60. I've set it to 255 and it all works as it should now. Thanks for the help anyway!
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900