0

Need help with my login.php. Num_Rows always comes up with 0, and I have encrypted passwords in my db, please help. I'll post login.php

the num_rows function always returns 0 and i have tried everything to fix it and nothing works!

login.php

<?php
    session_start();
    error_reporting(E_ALL);
    ini_set('display_errors', 1);
    include_once "functions/functions.php";


    $db = mysqli_connect('localhost', 'root', 'root', 'accounts');


    if (isset($_POST['submit'])) {
        // username and password sent from form

        $username = mysqli_real_escape_string($db, $_POST['username']);
        $password = mysqli_real_escape_string($db, $_POST['password']);
        $hash     = password_hash($password, PASSWORD_DEFAULT);



        $sql    = "SELECT id FROM users WHERE username = '$username' and password = '$hash'";
        $result = mysqli_query($db, $sql);

        $row    = mysqli_fetch_array($result);
        $active = $row['username'];

        $count = mysqli_num_rows($result);
        echo $count;
        // If result matched $myusername and $mypassword, table row must be 1 row

        if ($count == 1) {
            $_SESSION['username']   = $active;
            $_SESSION['login_user'] = $username;

            echo "Welcome to the site! " . $username;
        } else {
            $error = "Your Login Name or Password is invalid";
            echo $error;
        }
    }
    //Start the Session

    $connection = mysqli_connect('localhost', 'root', 'root', 'accounts');
    //3. If the form is submitted or not.
    //3.1 If the form is submitted
    if (isset($_POST['submit'])) {
        //3.1.1 Assigning posted values to variables.
        $username = mysqli_real_escape_string($connection, $_POST['username']);
        $password = mysqli_real_escape_string($connection, $_POST['password']);
        $hash     = password_hash($password, PASSWORD_DEFAULT);
        //3.1.2 Checking the values are existing in the database or not
        $query    = "SELECT username FROM users WHERE username='$username' AND password='$hash'";

        $result = mysqli_query($connection, $query) or die(mysqli_error($connection));
        mysqli_store_result($connection);
        $count = mysqli_num_rows($result);
        $aff   = mysqli_affected_rows($connection);
        //3.1.2 If the posted values are equal to the database values, then session will be created for the user.
        if ($count == 1) {
            $_SESSION['username'] = $username;
            echo $username;
        } else {
            //3.1.3 If the login credentials doesn't match, he will be shown with an error message.
            $fmsg = "Invalid Login Credentials.";
        }
    }
    //3.1.4 if the user is logged in Greets the user with message

    //3.2 When the user visits the page first time, simple login form will be displayed.
?>

register.php

<?php
    session_start();
    include_once "functions/functions.php";

    $username  = $_POST['username'];
    $firstname = $_POST['firstname'];
    $lastname  = $_POST['lastname'];
    $password  = password_hash($_POST['password'], PASSWORD_DEFAULT);
    $errors    = array();

    /* Attempt MySQL server connection. Assuming you are running MySQL
    server with default setting (user 'root' with no password) */
    $link = mysqli_connect("localhost", "root", "root", "accounts");

    // Check connection
    if ($link === false) {
        die("ERROR: Could not connect. " . mysqli_connect_error());
    }

    // Attempt insert query execution
    if (isset($_POST['register'])) {
        $sql = "INSERT INTO users (first_name, last_name, username, password) 
        VALUES ('$username', '$firstname', '$lastname', '$password')";

        if (mysqli_query($link, $sql)) {
            echo "Registered successfully!";
        } else {
            echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
        }
    }

    $usrlogged = $_SESSION['username'];
    $sql       = "SELECT username FROM users WHERE username = '$usrlogged'";

    if (isset($_SESSION['username'])) {
        mysqli_query($link, $sql);
        echo $_SESSION['username'];
    }

    // Close connection
    mysqli_close($link);
?>
GrumpyCrouton
  • 8,486
  • 7
  • 32
  • 71
Ewan Cullen
  • 1
  • 3
    `password_hash()` will create a new hash every time you call it, even with the same password, so it won't match what you have stored in the databse. Use `password_verify()` to validate a typed password against a stored one. – Alex Howansky Jun 29 '17 at 20:06
  • And protect yourself from [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks by using prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Jun 29 '17 at 20:07

1 Answers1

1

Use Password verify function

Change your code like this

$sql = "SELECT id, username, password FROM users WHERE username = '$username'";
$result = mysqli_query($db, $sql);

if ($result) {
  // Return the number of rows in result set
  $rowcount = mysqli_num_rows($result);
  if ($rowcount == 1) {
    $row = mysqli_fetch_array($result);
    $verify = password_verify($password, $row['password']);
    if ($verify) {
      $_SESSION['username'] = $row['username'];
      $_SESSION['login_user'] = true;

      echo "Welcome to the site! " . $username;
    } else {
      $error = "Your Login Name or Password is invalid";
      echo $error;
    }
  }
} else {
 echo "Query Failed";
}
Muhammad Usman
  • 1,403
  • 13
  • 24