I have a database and 2 php files
Could not log you in.
I can not log in I don't know why
maybe sha1

CREATE DATABASE auth;

USE auth;

CREATE TABLE authorized_users (
userid VARCHAR(30) NOT NULL PRIMARY KEY,
password VARCHAR(30) NOT NULL
);

INSERT INTO authorized_users (userid, password) VALUES
('testuser','password'),
('webauth','webauth');

GRANT ALL PRIVILEGES
ON auth.*
TO webauth@localhost
IDENTIFIED BY 'webauth';


authmain.php
<?php
session_start();

if (isset($_POST['userid']) && isset($_POST['password']))
{
  // if the user has just tried to log in
  $userid = $_POST['userid'];
  $password = $_POST['password'];

  $db_conn = new mysqli('localhost', 'webauth', 'webauth', 'auth');

  if (mysqli_connect_errno()) {
    echo 'Connection to database failed:'.mysqli_connect_error();
    exit();
  }

  $query = "select * from authorized_users where 
            userid='".$userid."' and 
            password=sha1('".$password."')";

  $result = $db_conn->query($query);
  if ($result->num_rows)
  {
    // if they are in the database register the user id
    $_SESSION['valid_user'] = $userid;
  }
  $db_conn->close();
}
?>
<!DOCTYPE html>
<html>
<head>
  <title>Home page</title>
</head>
<style type="text/css">
    fieldset {
        width: 50%;
        border: 2px solid #ff0000;
    }
    legend {
        font-weight: bold;
        font-size: 125%;
    }
    label {
        width: 125px;
        float: left;
        text-align: left;
        font-weight: bold;
    }
    input {
        border: 1px solid #000;
    }
    button {
        margin-top: 12px;
    }
</style>
</head>
<body>
<h1>Home Page</h1>

<?php
  if (isset($_SESSION['valid_user']))
  {
    echo '<p>You are logged in as: '.$_SESSION['valid_user'].' <br />';
    echo '<a href="logout.php">Log out</a></p>';
  }
else{
  if(isset($userid))
  {
    //if they've tried and failed to log in
    echo '<p>Could not log you in.</p>';
  }
  else
  {
    //they have not tried to log in yer or have logged out
    echo '<p>You are not logged in.</p>';
  }
}

//provide form to log in
echo '<form action="authmain.php method="post">';
echo '<fieldset>';
echo '<legend>Login Now!</legend>';
echo '<p><label for="userid">UserID:</label>';
echo '<input type="text" name="userid" id="userid" size="30"/></p>';
echo '<p><label for="password">Password:</label>';
echo '<input type="password" name="password" id="password" size="30"/></p>';
echo '</fieldset>';
echo '<button type="submit" name="login">Login</button>';
echo '</form>';

?>
</body>
</html>

members_only.php
<!DOCTYPE html>
<html>
<head>
    <title>Members Only</title>
</head>
<body>
<h1>Members Only</h1>
<?php
//Check session variable
if(isset($_SESSION['valid_user'])){
    echo '<p>You are logged in as '.$_SESSION['valid_user'].'</p>';
    echo '<p><em>Members-Only content goes here.</em></p>';
}
else {
    echo '<p>You are not logged in.</p>';
    echo '<p>Only logged in members may see this page.</p>';
}
?>
<p><a href="authmain.php">Back to Home Page</a></p>
</body>
</html>_

logout.php
<?php
session_start();

//store to test if they "were" logged in
$old_user = $_SESSION['valid_user'];
unset($_SESSION['valid_user']);
session_destroy();
?>
<DOCTYPE html>
    <html>
    <head>
        <title>Log out</title>
    </head>
    <body>
        <h1>Log Out</h1>
        <?php
        if(!empty($old_user))
        {
         echo '<p>You have been logged out.</p>';
        }
        else{
            //if they weren't logged in but came to this page somehow
            echo '<p>You were not logged in, and so have not been logged out.</p>';
        }
        ?>
    <p><a href="authmain.php">Back to Home Page</a></p>
    </body>
    </html>
</DOCTYPE>

    You need to store the password in the DB as its hashed value. (The whole reason to use a password hash is so that the literal password string is not in the DB, in case someone hacks their way into your DB.) If you are going to use sha1 for hashing, then you need to increase the size of the DB password field to contain the hash (40 characters for sha1).

    However, note the warning near the top of the https://php.net/sha1 page, and maybe consider moving to a more secure hashing mechanism (and change the database field to match whatever the length of that hash is). password_hash() would probably be my suggestion.

      Write a Reply...