0

I´m not very expirence in programming. I want to build a login system in PHP with some security mesures on it. I consult a video on youtube to help me and I found this one: https://www.youtube.com/watch?v=pIO0pmMTJ6Y&list=PLiJgIxJAg1VZqxDFL1Lp9VTm8PRfFeQ-o&index=18&t=5666s

The question is that don´t include any password hashing function, so i add it myself on the signup.php ant it works !!! But now, i´m not able to login to the site with a password created on th signup page. I try to chang the login.php code but don´t have success. What I have to do to resolve?

signup.php

<?php
require "../private/autoload.php";
$Error      ="";
$email      = "";
$username   = "";

if($_SERVER["REQUEST_METHOD"]=="POST")
{
    $email =$_POST["email"];
    if(!preg_match("/^[\w\-]+@[\w\-]+.[\w\-]+$/",$email))
        {
        $Error = "Please enter a valid email";
        }
    
    $date = date ("Y-m-d H:i:s");
    $url_address = get_random_string(60);
    $username = trim($_POST["username"]);

    if(!preg_match("/^[a-zA-Z]+$/",$username))
        {
        $Error = "Please enter a valid username";
        }
        $username = esc($username);
        $password = esc($_POST["password"]);
        $passwordhashed = password_hash($password,PASSWORD_DEFAULT);
        $arr = false;
        $arr['email']= $email;
        $query = "SELECT * FROM USERS WHERE email = :email limit 1";
        $stm = $connection->prepare($query);
        $check = $stm->execute($arr);
        
        if($check)  
            {
            $data = $stm->fetchAll(PDO::FETCH_OBJ);
            if(is_array($data) && count ($data) > 0)
                {
                $Error = "Someone is already using that email";
                }
            }

    if($Error =="")
        {
        $arr['url_address'] = $url_address;
        $arr['date'] = $date;
        $arr['username'] = $username;
        $arr['password'] = $passwordhashed;
        $arr['email'] = $email;
        $query = "insert into users(url_address,username,password,email,date) values(:url_address,:username,:password,:email,:date)";
        $stm = $connection->prepare($query);
        $stm->execute($arr);
        header ("Location: login.php");
        die;
        }
    
}

?>

<!DOCTYPE html>
<html>
    <head>
            <title>
                Signup
            </title>
        <h1 style="text-align:center"><span style="font-family:Arial,Helvetica,sans-serif"><strong>Bem-Vindo ao Website</strong></span></h1>
        <h2 style="text-align:center"><span style="color:#999999"><span style="font-family:Arial,Helvetica,sans-serif"><strong>Faz o teu signup para acederes ao site</strong></span></span></h2>
        <p><span style="font-family:Arial,Helvetica,sans-serif"><strong>&nbsp;&nbsp;</strong></span></p>
        <p style="text-align:center">&nbsp;</p>
        <p style="text-align:center">&nbsp;&nbsp;</p>


        <body style="font-family: verdana">
            <style type="text/css">
                form {
                    margin: auto;
                    border: solid thin #aaa; 
                    padding: 1px;
                    max-width: 200px;

                }

                #title {
                    background-color: #256972;
                    padding: 1cm;
                    text-align: center;
                    color: white;
                }   

                #textbox {
                    border: solid thin #aaa;
                    margin-top: 6px;
                    width: 98%;
                }
            </style>

            <form method="post">
                <div><?php
                    if(isset($Error) && $Error != "")
                    {
                        echo $Error;
                    }
                    ?>
                <div id="title">Signup</div>
                <input id="textbox" type="text" name="username" value="<?=$username?>" placeholder="username" required><br>
                <input id="textbox" type="email" name="email" value="<?=$email?>"  placeholder="email" required><br>
                <input id="textbox" type="password" name="password" placeholder="password" required><br><br>
                <input type="submit" value="Signup">
            </form>
        </body>
     </head>
</html>

login.php

<?php

require "../private/autoload.php";
$Error = "";


if($_SERVER["REQUEST_METHOD"]=="POST" && isset ($_SESSION ['token']) && isset ($_POST ['token']) && $_SESSION ['token'] == $_POST["token"])
{

    $email =$_POST["email"];
    if(!preg_match("/^[\w\-]+@[\w\-]+.[\w\-]+$/",$email))
        {
        $Error = "Please enter a valid email";
        }
    $password = ($_POST["password"]);
    $passwordhashed = password_hash($password,PASSWORD_DEFAULT);

    if($Error ==""){
        $arr['password'] = $passwordhashed;
        $arr['email'] = $email;

        $query = "SELECT * FROM USERS WHERE email = :email && password = :password limit 1";
        $check = $stm->execute($arr);
        
        if($check){
            $data = $stm->fetchAll(PDO::FETCH_OBJ);
            if(is_array($data) && count ($data) > 0){
                
                $data = $data[0];
                $_SESSION['username'] = $data->username;
                $_SESSION['url_address'] = $data->url_address;
                header ("Location: index.php");
                die;

            }
            
        }
        
    }
    $Error = "Wrong email or password";
    
}


$_SESSION ['token'] = get_random_string(60);

?>

<!DOCTYPE html>
<html>
    <head>
        <title>Login</title>
        <body style="font-family: verdana">
            <style type="text/css">
                form {
                    margin: auto;
                    border: solid thin #aaa; 
                    padding: 1px;
                    max-width: 200px;

                }

                #title {
                    background-color: #256972;
                    padding: 1cm;
                    text-align: center;
                    color: white;
                }   

                #textbox {
                    border: solid thin #aaa;
                    margin-top: 6px;
                    width: 98%;
                }


            </style>

            <form method="post">
                <div><?php
                    if(isset($Error) && $Error != "")
                    {
                        echo $Error;
                    }
                ?>
                <div id="title">Login</div>
                <input id="textbox" type="email" name="email" placeholder="email" required><br>
                <input id="textbox" type="password" name="password" placeholder="password" required><br><br>
                <input type="hidden" name="token" value="<?=$_SESSION ['token']?>">
                <input type="submit" value="Login">
            </form>
        </body>
    </head>
</html>

function.php

<?php
function get_random_string ($length)
{
    $array = array (0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z');
    $text = "";
    $lenght = rand(4,$length);

    for ($i=0;$i<$lenght;$i++) {
        $random = rand(0,61);
        $text .=$array[$random];
    }
    return $text;
}


function esc($word)
{
    return addslashes ($word);
}


function check_login ($connection)
{
    if(isset($_SESSION['url_address']))
    {
        $arr['url_address'] = $_SESSION['url_address'];
        
        $query = "SELECT * FROM USERS WHERE url_address = :url_address limit 1 && password = :password limit 1";
        $stm = $connection->prepare($query);
        $check = $stm->execute($arr);

        if($check)
        {
            $data = $stm->fetchAll(PDO::FETCH_OBJ);
            if(is_array($data) && count ($data) > 0)
                {
                return $data[0];
                }
        }
    }
    header("Location: login.php");
    die;
}
Pedro Brandao
  • 9
  • 2
  • i believe you are missing [`password_verify`](https://www.php.net/manual/en/function.password-verify.php) somewhere, read the docs. – Bagus Tesa Jul 13 '22 at 08:18
  • 3
    Does this answer your question? [How to use PHP's password\_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) – Bagus Tesa Jul 13 '22 at 08:18
  • What does `esc()`. If escaping the string: Why escaping at this place? – Wiimm Jul 13 '22 at 08:59
  • There is no reason to apply `esc` on any of the values if you are using prepared statements properly. The correct way to test the password is correct is to fetch the hashed password from the database and do `password_verify`. There is no need to use the `password` in the query in the function `check_login` – DarkBee Jul 13 '22 at 09:02
  • Furthermore you need to test if your query isn't throwing errors. Looking at the `check_login` function I see your statement is expecting two variables, but you are only passing one. (Which is also incorrect, see my comment above). Questions should only focus on one problem and contain the minimal code to reproduce. There is no point in providing the whole signup process if this already works – DarkBee Jul 13 '22 at 09:09

0 Answers0