Logon System with password hash

doran_lum · Nov 14, 2015

Hi all, I have a logon system here but upon running the codes I found that even with the right username & right password it doesn't work.
It will just echo Sorry please try again.

Please let me know what i'm missing.


        $username = filter_has_var(INPUT_POST, 'userName') ? $_POST['userName']: null;
        $passWD  = filter_has_var(INPUT_POST, 'pwd') ? $_POST['pwd']: null;


        $username = trim ($username);
        $passWD = trim ($passWD);

        $loginerror = array();

        if (empty($username)) {
            $loginerror[] = "You have not entered all of the required fields";
        }
        elseif (strlen($username) < 8 OR strlen($username) > 30) {
            $loginerror[] = "Username must include characters and numeric";
        } 

        if (empty($passWD)) {
            $loginerror[] = "You have not entered all of the required fields";
        }
        elseif (strlen($passWD) < 8) {
            $loginerror[] = "You have not entered all of the required fields";
        } 

        if (!empty($loginerror))
        for ($a=0;$a<count($loginerror);$a++)
        {
        echo "$loginerror[$a] <br />\n";
        }
        else
        {
            include 'database_conn.php';	// make db connection


                $sql = "SELECT username,passwordHash FROM users WHERE username = ? AND passwordHash =?";
                $stmt = mysqli_prepare($conn, $sql);	// prepare the sql statement

                mysqli_stmt_bind_param($stmt, "ss", $username, $passWD);     
                mysqli_stmt_execute($stmt);	// execute the query

                mysqli_stmt_bind_result($stmt, $username, $passWDHash);

                if (mysqli_stmt_fetch($stmt)) 
                    {
                    password_verify($passWD, $passWDHash);
                    echo "<p>Login successful</p>";
                    }
                    else 
                    {
                    echo "<p>Sorry please try again.</p>";
                    }

        mysqli_stmt_close($stmt); 
        mysqli_close($conn);
        }

NogDog · Nov 14, 2015

Assuming you have hashed the password before inserting it into the DB, then you have to hash the login attempt's password in the same way when querying the DB to see if it exists.

doran_lum · Nov 14, 2015

hmmm... one issue earlier was that i didn't need to query the username to see if it exist and it work but i realise that when i enter a username with any other password it work. So I was trying to fix that flaw trying to query the username together with the hashed password..

laserlight · Nov 14, 2015

Well, given the password from the user trying to login, you wouldn't know the salt, therefore you would be unable to verify the password. So, what you should do is to query the database for the row that matches the given username: if there is none, then clearly the login is invalid, but if there is such a row, you then retrieve the hashed password and use it with password_verify, and only if the password is verified do you consider the user authenticated.

Logon System with password hash

Ddoran_lum

NogDog

Ddoran_lum

laserlight