0

I'm setting up a very basic login page using php, but for some reason, no matter what username or password I put in, it automatically takes me to the logged in page(Home Page). Even if that particular username/password isn't even registered in the database.

I feel like the fact that I copied some of the code from the register page might've been my downfall.

    //log user in from the login Page
    if (isset($_POST['login'])) {
      if (empty($_POST['username'])) {
          array_push($errors, "Username is required");
      }
      if (empty($_POST['password'])) {
          array_push($errors, "Password is required");
      }
      if (count($errors) == 0) {
        $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
        $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
          // log user in
          $_SESSION['username'] = $username;
          $_SESSION['success'] = "You are now logged in";
          header('location: index.php'); //redirect to home page
        }else {
          array_push($errors, "The username/password combination is incorrect");
        }
      }
Dharman
  • 30,962
  • 25
  • 85
  • 135
CasarollChicken
  • 19
  • 2
  • 1
    Although you set `$query` with the query - you don't actually execute it (you should also use a prepared statement). You also shouldn't have the password in the SQL, you should retrieve the password and the use [`password_verify()` to check it](https://stackoverflow.com/questions/30279321/how-to-use-password-hash). – Nigel Ren Sep 15 '19 at 06:19
  • 1
    your code is vulnerable to sql injections, always properly escape user input. – Umer Abbas Sep 15 '19 at 06:21

1 Answers1

1

Because the query for checking the username and password is never executed . 

     $con = new mysqli(HOST, USERNAME, PASSWORD, DATABASE);
     if($conn->connect_error){
         array_push($errors,"Fatal Error: Can't connect to database: ". $con->connect_error);
         exit();

     }

if(isset($_POST['login'])){
      if (empty($_POST['username'])) {
          array_push($errors, "Username is required");
      }
      if (empty($_POST['password'])) {
          array_push($errors, "Password is required");
      }
      if (count($errors) == 0)
      {
         $stmt = $con->prepare("SELECT username,password FROM users WHERE username=?");
         $stmt->bind_param('s', $username);
         if($stmt->execute())  // Query executed correctly
         {  
             $stmt->bind_result($u_name, $hash_pwd); // binding the returned data to var's
             $stmt->store_result();
             if($stmt->num_rows == 1)  //Checking if the user exists
             {
                if($stmt->fetch())
                {  
                   if(password_verify($password, $hash_pwd))
                   {
                        $_SESSION['username'] = $u_name;
                        $_SESSION['success'] = "You are now logged in";
                        header('location: index.php'); //redirect to home page          
                   }
                   else  
                   {
                        array_push($errors, "Incorrect password !");
                        exit();
                   }
                }
              }
              else  // $stmt->num_rows didn't returned any result (0)
              {
                 array_push($errors, "No such username exists !");
                 exit();
              }

           }
           else  // $stmt->excute() returned false
           {
               array_push($errors, "Error occurred during executing SQL query");  exit();
           }
       }

    $stmt->close();

you can also use get_result instead of bind_result .

Mukul Kumar Jha
  • 1,062
  • 7
  • 19
  • @dharman I'm still not sure what do you mean by password warning (is it about using the `password_verify` ?) – Mukul Kumar Jha Sep 15 '19 at 12:45
  • Yes. I meant to use password_verify. I would not recommend to use `exit` in the places you used them and enable MySQLi exceptions. https://stackoverflow.com/a/22662582/1839439 – Dharman Sep 15 '19 at 14:40
  • @MukulKumarJha Why do I get this error ``Fatal error: Uncaught Error: Call to a member function prepare() on null in C:\xampp\htdocs\Resgistration\server.php:53 Stack trace: #0 C:\xampp\htdocs\Resgistration\login.php(1): include() #1 {main} thrown in C:\xampp\htdocs\Resgistration\server.php on line 53`` – CasarollChicken Sep 17 '19 at 23:13
  • Line 53 refers to $stmt = $con->prepare("SELECT username,password FROM users WHERE username=?"); – CasarollChicken Sep 17 '19 at 23:13