0

I'm having trouble with a simple login form and accessing the database. For the exercise, I have to create a simple login form, access the database with SHA1 encryption, then access a members area, but whenever I try to login, I get an invalid username/password message.

Am I storing the hashed password correctly? How do I then access it from the database? I've tried numerous times.

I know it's not good practice to hash passwords with SHA1, but this is part of the exercise I've been set, and I can't see where I'm going wrong.

dbconnect.php

<?php

   $DBhost = "localhost";
   $DBuser = "root";
   $DBpass = "";
   $DBname = "";

   $DBcon = mysqli_connect($DBhost,$DBuser,$DBpass,$DBname);

   if ($DBcon->connect_errno) {
       die("ERROR : -> ".$DBcon->connect_error);
   }

index.php

<?php
session_start();
require_once 'dbconnect.php';

if (isset($_SESSION['userSession'])!="") {
    header("Location: home.php");
    exit;
}

if (isset($_POST['btn-login'])) {

    $userName = strip_tags($_POST['userName']);
    $password = strip_tags($_POST['password']);

    $userName = $DBcon->real_escape_string($userName);
    $password = $DBcon->real_escape_string($password);

    $query = $DBcon->query("SELECT userID, userName, password 
    FROM user WHERE userName='$userName'");
    $row=$query->fetch_array();

    $count = $query->num_rows; 

    if (password_verify($password, $row['password']) 
    && $count==1) {
        $_SESSION['userSession'] = $row['userID'];
    header("Location: home.php");
    } else {
    $msg = "<div class='alert alert-danger'>
     Invalid Username or Password !</div>";
    }
    $DBcon->close();
}
?>
<!DOCTYPE html>
<html>
<body>

<div class="signin-form">

    <div class="container">


       <form class="form-signin" method="post" id="login-form">

        <h2 class="form-signin-heading">Sign In.</h2>

        <?php
        if(isset($msg)){
            echo $msg;
        }
        ?>

        <div class="form-group">
        <input type="userName" class="form-control" 
        placeholder="Username" name="userName" required />
        </div>

        <div class="form-group">
        <input type="password" class="form-control" 
        placeholder="Password" name="password" required />
    </div>


        <div class="form-group">
            <button type="submit" class="btn btn-default" 
         name="btn-login" id="btn-login"> Sign In </button> 

            <a href="register.php" class="btn btn-default" 
        style="float:right;">Sign UP Here</a>

        </div>  


      </form>

    </div>

</div>

</body>
</html>

register.php

<?php
session_start();
if (isset($_SESSION['userSession'])!="") {
    header("Location: home.php");
}
require_once 'dbconnect.php';

if(isset($_POST['btn-signup'])) {

    $userName = strip_tags($_POST['userName']);
    $email = strip_tags($_POST['email']);
    $upass = strip_tags($_POST['password']);

    $userName = $DBcon->real_escape_string($userName);
    $email = $DBcon->real_escape_string($email);
    $upass = $DBcon->real_escape_string($upass);

    $hashed_password = sha1($upass); 

    $check_email = $DBcon->query("SELECT email FROM user 
    WHERE email='$email'");
    $count=$check_email->num_rows;

    if ($count==0) {

        $query = "INSERT INTO user(userName,email,password) 
        VALUES('$userName','$email','$hashed_password')";

        if ($DBcon->query($query)) {
            $msg = "<div class='alert alert-success'>
                         successfully registered !
                    </div>";
        }else {
            $msg = "<div class='alert alert-danger'>
                         error while registering !
                    </div>";
        }

    } else {


        $msg = "<div class='alert alert-danger'>
                     sorry email already taken !
                </div>";

    }

    $DBcon->close();
}
?>
<!DOCTYPE html>
<html>
<head>

<title>Login & Registration System</title>

</head>
<body>

<div class="signin-form">

    <div class="container">


       <form class="form-signin" method="post" id="register-form">

        <h2 class="form-signin-heading">Sign Up</h2><hr />

        <?php
        if (isset($msg)) {
            echo $msg;
        }
        ?>

        <div class="form-group">
        <input type="text" class="form-control" 
         placeholder="Username" name="userName" required />
        </div>

        <div class="form-group">
        <input type="email" class="form-control" 
        placeholder="Email address" name="email" required />
        </div>

        <div class="form-group">
        <input type="password" class="form-control" 
        placeholder="Password" name="password" required />
        </div>



        <div class="form-group">
            <button type="submit" class="btn btn-default" 
            name="btn-signup">Create Account</button> 
            <a href="index.php" class="btn btn-default" 
            style="float:right;">Log In Here</a>
       </div> 

      </form>

    </div>

</div>

</body>
</html>

home.php

<?php
session_start();
include_once 'dbconnect.php';

if (!isset($_SESSION['userSession'])) {
    header("Location: index.php");
}

$query = $DBcon->query("SELECT * FROM user WHERE
userID=".$_SESSION['userSession']);
$userRow=$query->fetch_array();
$DBcon->close();

?>
<!DOCTYPE html>
<html>

logout.php

<?php
session_start();

if (!isset($_SESSION['userSession'])) {
     header("Location: index.php");
} else if (isset($_SESSION['userSession'])!="") {
    header("Location: home.php");
}

if (isset($_GET['logout'])) {
    session_destroy();
    unset($_SESSION['userSession']);
    header("Location: index.php");
}
?>
Improve this question
4
  • if (isset($_SESSION['userSession'])!="") for one thing, is a "false positive". That needs to be split into two separate conditions. Commented Dec 1, 2016 at 15:58
  • what you had written in your password_verify() function ? Commented Dec 1, 2016 at 16:04
  • @Fred-ii- or you could just use if (!empty($_SESSION['userSession'])) Commented Dec 1, 2016 at 16:05
  • Is the exercise to learn php/Mysql or to learn how to ask questions on SO? Commented Dec 1, 2016 at 16:05

2 Answers 2

Reset to default
1

You need to encrypt password with sha1() before select compare:

$password = $DBcon->real_escape_string(sha1($password));
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I'm going to assume password_very() is not the issue. One thing it could be is your use of $count = $query->num_rows;, here is a snippet of the php documentation.

The behaviour of mysqli_num_rows() depends on whether buffered or unbuffered result sets are being used. For unbuffered result sets, mysqli_num_rows() will not return the correct number of rows until all the rows in the result have been retrieved.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.