Help

[BeatMyMeme]

I need some help as my PHP Login system won't let me login it says incorrect even though it's correct.


CODE

<?php

//START SESSION
session_start();

if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] == true){
header("location: welcome.php");
exit;
}

//Including the config file
require_once "config.php";

// Define the variables with empty values
$username = $password = "";
$username_err = $password_err = "";

// Process data when the form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){

// Check if username is there
if(empty(trim($_POST["username"]))){
$username_err = "Please enter a username.";
} else{
$username = trim($_POST["username"]);
}

// Check if password is empty
if(empty(trim($_POST["password"]))){
$password_err = "Please enter your password";
} else{
$password = trim($_POST["password"]);
}

// Check if there credentials are correct
if(empty($username_err) && empty($password_err)){
// Prepare a select statement
$sql = "SELECT id, username, password FROM users WHERE username = ?";

if($stmt = mysqli_prepare($link, $sql)){
// Bine Variable As Parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);

// Set Param
$param_username = $username;

// Attempt Statement
if(mysqli_stmt_execute($stmt)){
//Store
mysqli_stmt_store_result($stmt);

// Check if username exists
if(mysqli_stmt_num_rows($stmt) == 1){
// Bind result
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashedpassword)){
// Password correct so start a new session
session_start();

// Store Data

$_SESSION["loggedin"] = true;
$_SESSION["id"] = $id;
$_SESSION["username"] = $username;

// Redirection
header("location: welcome.php");
} else{
// Display error if password is incorrect.
$password_err = "Password Incorrect";
}
}
} else {
// Display error if username does not exist
$username_err = "Incorrect Username";
}
} else {
echo "Oops, something has gone wrong.";
}
}

// Close Statement
mysqli_stmt_close($stmt);
}

// Close Connection
mysqli_close($link);
}
?>




<!DOCTYPE html>
<html lang="en">
<head>
<title> Login - Very Easily </title>


<link rel="stylesheet" type="text/css" href="css/main.css" />
<link rel="https://stackpath.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.bundle.min.js">
<link rel="stylesheet" type="text/css" href="css/bootstrap.css" />
</head>
<body>
<div class="container">
<div class="row">
<div class="col-sm-9 col-md-7 col-lg-5 mx-auto">
<div class="card card-signin my-5">
<div class="card-body">
<h5 class="card-title text-center">Sign In</h5>
<form class="form-signin" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
<div class="form-label-group">
<input type="text" name="username" class="form-control" placeholder="username" required autofocus <?php echo (!empty($username_err)) ? 'has-error' : ''; echo $username; ?>
<span class="help-block"><?php echo $username_err; ?></span>
<label for="username">Username</label>
</div>

<div class="form-label-group">
<input type="password" id="inputPassword" name="password" class="form-control" placeholder="password" required <?php echo (!empty($password_err)) ? 'has-error' : ''; ?>
<span class="help-block"><?php echo $password_err; ?></span>
<label for="inputPassword">Password</label>
</div>

<div class="custom-control custom-checkbox mb-3">
<input type="checkbox" class="custom-control-input" id="customCheck1">
<label class="custom-control-label" for="customCheck1">Remember password</label>
</div>
<button class="btn btn-lg btn-primary btn-block text-uppercase" type="submit">Sign in</button>
</form>
</div>
</div>
</div>
</div>
</div>

</body>

 

[Harry]

It really isn't the most efficient script, which makes it hard to debug things like this. To start off with, I would go through and var_dump your SQL query result, to make sure that a user from the database is returned.

If you need help doing this, add me on Discord: Majored#8062

 

[BeatMyMeme]

Added

It really isn't the most efficient script, which makes it hard to debug things like this. To start off with, I would go through and var_dump your SQL query result, to make sure that a user from the database is returned.

If you need help doing this, add me on Discord: Majored#8062

 

[Kuchy]

I think this might your issue:

// Bine Variable As Parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);

// Set Param
$param_username = $username;

You're making mysqli_stmt_bind_param have a variable that's not created yet until after that line.
Switch those two around and that might help.

 

[John Willikers]

So, one tip is to always Post the Stacktrace as well as the code. Makes debugging way easier.

Another thing I don't see you hashing the password and checking the DB for the hashed password. This is a huge security violation. If your database gets breached the hackers will have plain passwords. You should always hash and sprinkle some salts in as well.

Also I would recommend working with a framework. There is no reason be fumbling your head with a login system. In laravel you can make the project and then use the included CLI to setup Auth which sets up a Register/Login form, DB tables, and sets up middleware. So instead of you spending time rebuilding the wheel you can spend more time building a beautiful application.

I'm gonna leave you with a video which is a Part 1. The first episode is mostly Powerpoint which is explaining key features like Routing, Models, Middleware, etc. Then in later videos shows you how to get a dev enviroment going(He does windows let me know if you need help setting it up on linux) and then builds some starter applications.

But it walks you through Routing Get and Post requests and also shows you how to use The Blade Template Engine.



Also if Documentation is more your style they have well written Documentation https://laravel.com/docs/5.7

 

[bigchz]

I am currently having the exact same problem, with the exact same code. Did you figure out the solution yet? If so could you please share the info. I know it is something probably simple. Thanks for any help.