0

I am new in PHP and MySQL and I am making a login script for an admin but I can't seem to find the problem with the code below. The username and password is still incorrect even though it exists in the database and it was entered correctly in the form.

Here is the screenshot of my "admin" table

<?php

if(isset($_POST['adminlogin-submit'])){

    require 'dbh.inc.php';

    $username = $_POST['adminusername'];
    $password = $_POST['adminpassword'];

    if(empty($username) || empty($password)){
        header("Location: ../adminlogin.php?error=emptyfields");
        exit();
    }
    else{
        $sql = "SELECT * FROM admin WHERE username=?;";
        $stmt = mysqli_stmt_init($conn);
        if(!mysqli_stmt_prepare($stmt, $sql)){
            header("location: ../adminlogin.php?error=sqlerror");
            exit();
        }
        else{
            mysqli_stmt_bind_param($stmt, "s", $username);
            mysqli_stmt_execute($stmt);
            $result = mysqli_stmt_get_result($stmt);
            if($row = mysqli_fetch_assoc($result)){
                $passwordCheck = password_verify($password, $row['password']);
                if($passwordCheck == false){
                    header("location: ../adminlogin.php?error=wrongpassword");
                    exit();
                }
                else if($passwordCheck == true){
                    session_start();
                    $_SESSION['id'] = $row['id'];
                    $_SESSION['adminusername'] = $row['username'];

                    header("location: ../adminlogin.php?login=success");
                    exit();
                }
                else{
                    header("location: ../adminlogin.php?error=unknownerror");
                    exit();
                }
            }
            else{
                header("location: ../adminlogin.php?error=nouser");
                exit();
            }
        }
    }
}
else{
    header("location: ../adminlogin.php");
    exit();
}
brombeer
  • 8,716
  • 5
  • 21
  • 27
Doxx21
  • 25
  • 5
  • Storing passwords as plain text is never a good idea. https://www.php.net/manual/en/function.password-hash.php – brombeer Apr 04 '20 at 09:55
  • Yes thank you for the reminder. I was planning on hashing them later on but now I know that password_verify takes hash for the second parameter. Thanks! – Doxx21 Apr 04 '20 at 10:02

1 Answers1

-1

password_verify takes a hash of the password as second parameter, not the password itself. in the table, the value within the password field should not be the plain password, but its hash.

check password_hash

To insert the correct hashed password into your table, use

$hashed_password = password_hash( $password, PASSWORD_DEFAULT );

$sql = "UPDATE admin SET password = ? WHERE username=?";
$stmt = mysqli_stmt_init($conn);
mysqli_stmt_prepare($stmt, $sql)) or die("SQL error");
mysqli_stmt_bind_param($stmt, "ss", $hashed_password, $username);
mysqli_stmt_execute($stmt);
draz
  • 793
  • 6
  • 10
  • I see. Initially, I used this same code for a customer login but the data came from a table where passwords are hashed. This answer has helped a lot. Thank you very much! – Doxx21 Apr 04 '20 at 10:01
  • 1
    but the answer ist still **unsecure** https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – nbk Apr 04 '20 at 10:03
  • i agree, this query should only be used to update the existing entries in the table. – draz Apr 04 '20 at 10:06
  • Then change it please, every has to use prepared statements, to get used to it, independent for what purpose or for for what language – nbk Apr 04 '20 at 10:11
  • I can take my downvote away if you fix the SQL injection you have introduced. – Dharman Apr 04 '20 at 11:58