1

Why didn't the other posts help?

Other posts didn't help because one was asking since none worked, despite there are a lot of similar questions.

More details

The thing I want to do is to make a user log in using his password. But, the passwords are hashed using bCrypt in the database.

When I try to enter the real password, it doesn't work and says that the password is incorrect.

But, when I try to enter the hashed password. It says: "Successfully logged in".

How to make it log in using the real password not the hash?!

Code

Login.php

<form method="post" action="loginsession.php">//login
    <p>Username <input type="text" name="uid" size="20"> </p>
    <p>Password <input type="password" name="pwd" size="20"> </p>
    <p><input type="submit" value="Login" name="login"></p>
</form>

Loginsession.php

  <?php 
   session_start(); 
   include ('dbhandler.php'); 
   $uid = $_POST['uid']; 
   $pwd = $_POST['pwd']; 

   $sql = "SELECT * FROM user WHERE uid='$uid' and pwd='$pwd' "; 
   $result = mysqli_query($conn, $sql); 
   $row = mysqli_fetch_assoc($result); 
   $encrypted_pwd = password_hash($pwd, PASSWORD_DEFAULT); 
   $hash = password_verify($pwd,$encrypted_pwd); 
   $count = mysqli_num_rows($result);


   if ($count == 1) {
   echo("Logging in...");
   $_SESSION['id'] = $row['id']; 
   $_SESSION['uid'] = $row['uid']; 
   $_SESSION['pwd'] = $row['pwd'];
   echo("<h1 style='color:green;'>Successfully Logged In");

   } 
    else {
           echo "Your Login Name or Password is invalid";
                die();
         }

    ?>
Improve this question

2 Answers 2

Reset to default
3

There was so much wrong that a rewrite was more appropriate: 

<?php 
   session_start(); 
   include 'dbhandler.php'; // shouldn't be include './dbhandler.php'; ? 
   $uid = $_POST['uid']; 
   $pwd = $_POST['pwd']; 

   $sql = "SELECT * FROM user WHERE uid='".mysqli_real_escape_string($conn, $uid)."'"; 
   $result = mysqli_query($conn, $sql);
   if (mysqli_num_rows($result) === 1) {
     $row = mysqli_fetch_assoc($result);
     if (password_verify($pwd, $row['pwd'])) {
       $_SESSION['id'] = $row['id']; 
       $_SESSION['uid'] = $row['uid']; 
       $_SESSION['pwd'] = $row['pwd'];
       // redirect to "login success" page would be a better solution
       echo "<h1 style='color:green;'>Successfully Logged In";
     } else {
       echo "Invalid password";
     }
   } else {
     echo "Your login name is invalid";
   }
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I will try, then I'll inform you about whether it worked or not.
Edit:: DIdn't work, with both username and password correct, I got this: prntscr.com/ftfgk0
0

  1. You should never use textual user input as a parameter of your query. This leaves you vulnerable to SQL injection. To prevent that, either use PDO or mysqli_* (but in this case use the appropriate functions to escape the parameters), which are both well documented.

  2. You define and execute the query with passing the password as it was. You need to hash the password BEFORE you pass it to the query and pass $encrypted_pwd to the query.

  3. I recommend the usage of limit 0, 1 at the end of your query in this case, as that will specify that you are interested only in the very first corresponding row, if exists, so the query will be stopped if the user is found and not continue searching for users. This will optimize your query.

  4. Since you do not want to load any particular data related to the user, you only want to find out whether the user exists, you could further optimize your query by replacing select * with select 1, which will significantly reduce the size of data your RDBMS will have to send in response, as only a number will be returned and not the whole record, possibly with the user's biography.

  5. Never ever store a user's password in the session. If for some reason $_SESSION will be outputted to the browser, that will be a serious vulnerability.

Improve this answer

5 Comments

These are very good tips, but my question is that I want to make the log in system work.
When the login starts working properly, I will think about security, usability, desing, &c. But currently, I need the log in to at least work.
@BorislavGridnev my answer contains the part you are asking for. You are encrypting the password AFTER you log in and you use the textual password. So I do not understand your comment, since I not only answered your question, but added more information about things to be improved as well.
I encrypt the password before log in, in registration. Also, yeah. I think I should do something with $enc_pwd.
@BorislavGridnev you have this query: "SELECT * FROM user WHERE uid='$uid' and pwd='$pwd' " where $pwd is a variable directly taken from $_POST['pwd'] which is the exact, unencrypted input for password. You need to use $encrypted_pwd inside your query instead of $pwd. And yes, you have encrypted the password when you have stored it, but you did not encrypt the password the user have given you. You need to encrypt the input of the user first, THEN compare the result of that encryption with the stored encrypted password.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.