CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 4 of 4

Thread: Why Unable To Login With Password_Verify ?

  1. #1
    Join Date
    Aug 2017
    Posts
    17

    Why Unable To Login With Password_Verify ?

    Php Programmers,

    Why is the password_verify failing on this script ?
    It fails to log me in to my account with the correct Username/Email and Password.
    Do check the script on your end in Xampp/Wamp.

    Thanks.

    PHP Code:
    <?php /* ERROR HANDLING */ declare(strict_types=1);
    ini_set('display_errors''1');
    ini_set('display_startup_errors''1');
    error_reporting(E_ALL);
    mysqli_report(MYSQLI_REPORT_ERROR MYSQLI_REPORT_STRICT);
    if (
    $_SERVER['REQUEST_METHOD'] == "POST") {
         if (isset(
    $_POST["login_username_or_email"]) && isset($_POST["login_password"])) {
              
    $username_or_email trim($_POST["login_username_or_email"]);
              
    // $password = $_POST["login_password"];
              
    $hashed_password password_hash($passwordPASSWORD_DEFAULT); 
              
    //Select Username or Email to check against Mysql DB if they are already registered or not.
              
    $stmt mysqli_stmt_init($conn); 
              if(
    strpos("$username_or_email""@) === true) {
                   
    $email = $username_or_email$username = ";
                   
    $query "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE emails = ?"
                   
    sqli_stmt_init($stmt);
                   
    $stmt mysqli_prepare($conn$query);
                   
    mysqli_stmt_bind_param($stmt's'$email);
                   
    mysqli_stmt_execute($stmt);
                   
    $result mysqli_stmt_bind_result($stmt$db_id$db_username$db_password$db_email$db_account_activation_status);
              } else {
                   
    $username $username_or_email;
                   
    $email "";
                   
    $query "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE usernames = ?";
                   
    $stmt mysqli_prepare($conn$query);
                   
    mysqli_stmt_bind_param($stmt's'$username);
                   
    mysqli_stmt_execute($stmt);
                   
    $result mysqli_stmt_bind_result($stmt$db_id$db_username$db_password$db_email$db_account_activation_status);
              }
              
    $row mysqli_fetch_array($resultMYSQLI_ASSOC);
              
    mysqli_stmt_close($stmt);
              if (
    $result == false) {
                   echo 
    "Incorrect User Credentials 1 - (query result == FALSE on LINE 79! )!<br>";
                   exit();
              } elseif
                   (
    $row['accounts_activations_statuses'] == '0') {
                   {
                        echo 
    "You have not activated your account yet! Check your email for instructions on how to activate it. Check your spam folder if you don't find an email from us.";
                       exit(); 
                   }
              } else {
                   echo 
    "Else got triggered on LINE 98! - (query result = TRUE)!";
                   
    //This ELSE is getting triggered on the test. That means $result = TRUE;
                   
    echo "Hash from db: $db_password";
              }
              if (
    password_verify($password, (string)$row['passwords'])==true) {
                   
    $_SESSION["user"] = $username;
                   
    header("location:home.php?user=$username");
              } else {
                   echo 
    "Incorrect User Credentials 2! (Else got triggered on LINE 124. Stating: 'password_verify = FALSE');";
                   exit();
              }
         }
    }
    ?>

    <!DOCTYPE html>


    <?php $site_name?> Member Login Page


    <

    div class = "container">

    <?php $site_name ?> Member Login Form

    Username/Email:
    Password:
    It fails to log me in with the correct password. Column name: passwords. And not "password" or "Password" or "Passwords" as some might suspect I done a typo in column name when I have not.
    Last edited by 2kaud; September 19th, 2017 at 03:03 AM. Reason: Formatted code

  2. #2
    Join Date
    Aug 2017
    Posts
    17

    Re: Why Unable To Login With Password_Verify ?

    Mod,

    It seems I got the coding format wrong.
    Within which tags do I put my php code so it looks ok in this forum for others to read my php code ?

  3. #3
    2kaud's Avatar
    2kaud is offline Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    7,262

    Re: Why Unable To Login With Password_Verify ?

    Quote Originally Posted by coding_student View Post
    Mod,

    It seems I got the coding format wrong.
    Within which tags do I put my php code so it looks ok in this forum for others to read my php code ?
    For php code, there are the php tags [ php ] and [ /php] (without the spaces). I've amended post #1. Note that these tags don't re-format the code - just display it as php code. I've manually added the new lines to make the code readable - but future postings should have the code formatted properly before pasting.
    Last edited by 2kaud; September 19th, 2017 at 02:57 AM.
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++17 Compiler: Microsoft VS2019 (16.7.4)

  4. #4
    Join Date
    Aug 2017
    Posts
    17

    Re: Why Unable To Login With Password_Verify ?

    Folks,


    It seems the issue was the "passwords" column size was too small (50 chars). Switching it to 255 should have made a difference but it did not in my test last night due to me not repopulating the column. Others in another forum suggested I repopulate and I read their suggestion just now and it is working after I repopulated it. Just sharing this knowledge on all forums I opened threads on this issue so it benefits other newbies too. I know this is nothing "learnable" for pros.
    http://www.webdeveloper.com/forum/sh...63#post1516863

    And so, this code is no longer getting the password_verify to false when I type the correct password.
    Code:
    Code:
    <?php
     
    /*
    ERROR HANDLING
    */
    declare(strict_types=1);
    ini_set('display_errors', '1');
    ini_set('display_startup_errors', '1');
    error_reporting(E_ALL);
    mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
     
    include 'config.php';
     
    // check if user is already logged in
    if (is_logged() === true) 
    {
    	//Redirect user to homepage page after 5 seconds.
    	header("refresh:2;url=home.php");
    	exit; //
    }
    
    
    if ($_SERVER['REQUEST_METHOD'] == "POST")
    { 
    	if (isset($_POST["login_username_or_email"]) && isset($_POST["login_password"]))
    	{
    		$username_or_email = trim($_POST["login_username_or_email"]); //
    		$password = $_POST["login_password"];
    		
             
    		//Select Username or Email to check against Mysql DB if they are already registered or not.
    		$stmt = mysqli_stmt_init($conn);
    		
            if(strpos("$username_or_email", "@") === true)
    		{
    			$email = $username_or_email;
    			$username = "";
    			
    			$query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE emails = ?";
    			// i = integer; s = string; d = double; b = blob.
    			$stmt = mysqli_prepare($conn, $query);			
    			mysqli_stmt_bind_param($stmt, 's', $email);
    			mysqli_stmt_execute($stmt);
    		    //$result = mysqli_stmt_get_result($stmt); //Use either this line (if you need to get all data of the array without associating them to variables like you do with mysqli_stmt_bind_result), or ...
    			//Note from line below that the variables "$db_username", "$db_account_activation_status" are related to the tbl columns selected on $query ("SELECT ids, usernames, accounts_activations_statuses From users .. WHERE).
    			$result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // ... this line. But not both.
    		}
    		else
    		{
    			$username = $username_or_email;
    			$email = "";
    			$query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE usernames = ?";
    			// i = integer; s = string; d = double; b = blob.
    			$stmt = mysqli_prepare($conn, $query);
    			mysqli_stmt_bind_param($stmt, 's', $username);
    			mysqli_stmt_execute($stmt);
    			//$result = mysqli_stmt_get_result($stmt); //Use either this line (if you need to get all data of the array without associating them to variables like you do with mysqli_stmt_bind_result), or ...
    			//Note from line below that the variables "$db_email", "$db_account_activation_status" are related to the tbl columns selected on $query ("SELECT ids, emails, accounts_activations_statuses From users .. WHERE).
    			$result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // ... this line. But not both.#
    		}       	
    		
    		//$rownums = mysqli_num_rows($result); // To get number of row matches
    		//echo "$rownums";
    		//Which of the following to do and why that one over others ?
    		$row = mysqli_stmt_fetch($stmt);
    		//$row = mysqli_fetch_array($query, MYSQLI_ASSOC);
    		//$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
    		
    		mysqli_stmt_close($stmt);
    		
    		printf("%s (%s)\n",$row["usernames"],$row["passwords"]);
    		
    		if ($result == false)
    		{
    			echo "'$result == false' on line 73! IF got triggered on line 73! !<br>";
    			exit();
    		}
    		elseif ($row['accounts_activations_statuses'] == '0')
    		{
    			{
    				echo "You have not activated your account yet! Check your email for instructions on how to activate it. 
    				Check your spam folder if you don't find an email from us.";
    				exit();
    			}
    		}
    		else
    		{
    			echo "'$result == true' on line 73! Else got triggered on line 86! <br>";//This ELSE is getting triggered on the test. That means $result = TRUE;
    		}
    		
    		if (password_verify($password, $db_password))		
    		{
    			echo "IF triggered for password_verify! password_verify ok";
    			//If 'Remember Me' check box is checked then set the cookie. 
    			//if(!empty($_POST["login_remember"])) // Either use this line ....
    			if (isset($_POST['login_remember']) && $_post['login_remember'] == "on") // ...or this line. But not both!
    			{
    				setcookie("login_username", $username, time()+ (10*365*24*60*60));
    			}
    			else
    			{
    				//If Cookie is available then use it to auto log user into his/her account!
    				if (isset($_COOKIE['login_username']))
    				{
    					setcookie("login_username","","");
    				}
    			}
    			$_SESSION["user"] = $username;
    			header("location:home.php?user=$username");				
    		}
    		else
    		{
    			echo "Else got triggered on line 111: Incorrect User Credentials ! 'password_verify = FALSE';<br>";
    			exit();
    		}
    	}
    }
    	
    ?>
    
    <!DOCTYPE html>
    <html>
    <head>
    <title><?php $site_name?> Member Login Page</title>
      <meta charset="utf-8">
    </head>
    <body>
    <div class = "container">
    <form method="post" action="">
    <center><h3><?php $site_name ?> Member Login Form</h3></center>
    <div class="text-danger">
    <div class="form-group">
    <center><label>Username/Email:</label>
    <input type="text" placeholder="Enter Username" name="login_username_or_email" value="<?php if(isset($_COOKIE["login_username_or_email"])) echo $_COOKIE["login_username_or_email"]; ?>"</center>
    </div>
    <div class="form-group">
    <center><label>Password:</label>
    <input type="password" placeholder="Enter password" name="login_password" value="<?php if(isset($_COOKIE["login_password"])) echo $_COOKIE["login_password"]; ?>"></center>
    </div>
    <div class="form-group">
    <center><label>Remember Login Details:</label>
    <input type="checkbox" name="login_remember" /></center>
    </div>
    <div class="form-group">
    <center><input type="submit" name="login_submit" value="Login" class="button button-success" /></center>
    </div>
    <div class="form-group">
    <center><font color="red" size="3"><b>Forgot your password ?</b><br><a href="login_password_reset.php">Reset it here!</a></font></center>
    <center><font color="red" size="3"><b>Not registered ?</b><br><a href="register.php">Register here!</a></font></center>
    </form>
    </div>
    </body>
    </html>
    I am making a few changes on the above post's mentioned code because I was told in that forum (which I mentioned in my previous post):

    1. Checking if $result is true/false is meaningless, as it will always be true if my code is bug-free, and likely always false if not.
    2. Similarly, mysqli_stmt_fetch() will return true if it found a result row, otherwise false.
    I, instead need to check the value bound to $db_password to see if it's correct. So it might be something like:

    Code:
    if($row && password_verify($password, $db_password)) {
    // good to go...
    }
    I have been advised 6 nights ago there on that forum to trim down my code to this:
    Code:
    if ($_SERVER['REQUEST_METHOD'] == "POST") // not really needed since you're checking $_POST
    {
        if (isset($_POST["login_username"]) && isset($_POST["login_password"])) {
            $username = trim($_POST["login_username"]); //
            $password = trim($_POST["login_password"]); //
            $hashed_password = password_hash($_POST["login_password"], PASSWORD_DEFAULT);
            $sql = "
    SELECT
      ids,
      usernames, 
      passwords, 
      emails, 
      accounts_activations_statuses 
    FROM users 
    WHERE usernames = ?
      AND passwords = ?
    ";
            $stmt = mysqli_prepare($conn, $sql);
            mysqli_stmt_bind_param($stmt, 'ss', $username, $hashed_password);
            mysqli_stmt_execute($stmt);
            if (mysqli_stmt_num_rows($stmt)) {
                // found a match, we're good to go...
            } else {
                // whatever you do when user/password not found...
            }
        }
    }
    This forum Mod also managed to figure it that I got the column size wrong:
    https://www.webmastersun.com/threads...-logging-me-in
    Last edited by coding_student; September 25th, 2017 at 05:08 PM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Windows Mobile Development Center


Click Here to Expand Forum to Full Width




On-Demand Webinars (sponsored)