I am making a php login system, and I don't know what is going wrong-CodePudding

I have an html form passing data to this program:

<?php
    $username = $_POST['username'];
    $password = $_POST['password'];
    $passcrypt = hash('sha256', $password);
    $conn = new mysqli('localhost', 'phpUser', 'phpPass', 'phpBase');
    $pass = "SELECT password FROM login WHERE username = '$username'";
    $result = $conn->query("SELECT password FROM login WHERE username = '$username'");
    $conn->close();
    if ($result == $passcrypt) {
        print 'logged in!';
    }else{
        print 'error <br />';
        print $passcrypt;
    }
?>

(those obviously aren't my passwords) and it isn't working, and I have no idea why!!!!

CodePudding user response：

It's obviously because you dont fetch any data. you need $result->fetch_assoc() to fetch the data.

<?php
$username = $_POST['username'];
$password = $_POST['password'];
$passcrypt = hash('sha256', $password);
$conn = new mysqli('localhost', 'phpUser', 'phpPass', 'phpBase');
$pass = "SELECT password FROM login WHERE username = '$username'";
$result = $conn->query("SELECT password FROM login WHERE username = '$username'");
$result = $result->fetch_assoc()
$conn->close();
if ($result == $passcrypt) {
    print 'logged in!';
}else{
    print 'error <br />';
    print $passcrypt;
}
?>

Also, make sure to var_dump($result) after fetching it to test and debug the process to make sure all things going well.

Also, use the prepare statement to prevent SQL injection.

the code could be better this way:

<?php
    $username = $_POST['username'];
    $password = $_POST['password'];
    $passcrypt = hash('sha256', $password);
    $conn = new mysqli('localhost', 'phpUser', 'phpPass', 'phpBase');
    $query = "SELECT password FROM login WHERE username = ? "; // SQL with parameters
    
    $stmt = $conn->prepare($query); 
    $stmt->bind_param("s", $username); // 's' for string
    $stmt->execute();
    $result = $stmt->get_result(); // get the mysqli result
    $result = $result->fetch_assoc(); // fetch data  

    if ($result['password'] == $passcrypt) {
        print 'logged in!';
    }else{
        print 'error <br />';
        print $passcrypt;
    }
    $conn->close();
?>

CodePudding user response：

The best solution is to use the built-in password_hash and password_verify (link to manual) to store and verify passwords. Also use prepared statements to avoid trivial SQL injection attacks.

To store a user password, use password_hash to generate the blob you are saving to the database (don't roll your own). This code assumes you have a form submitting the new username and password from an account creation page.

<?php
$newusername = $_POST['newusername'];
$newpassword = $_POST['newpassword'];
$newPasswordHash = password_hash($newpassword, PASSWORD_DEFAULT);
$stmt = $mysqli->prepare("insert into login (username, password) values (?, ?)");
$stmt->bind_param("ss", $newusername, $newPasswordHash);
$stmt->execute();
$affectedRows = $stmt->affected_rows;
$stmt->close();

if ($affectedRows > 0) {
    print 'User account added';
} else {
    print 'error creating user account <br />';
}
?>

Once that account is created, you can use password_verify to validate the login based on the form submission from your login page.

<?php
$username = $_POST['username'];
$password = $_POST['password'];

$stmt = $mysqli->prepare("select password from login where username = ?");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($passwordHash);
$stmt->fetch();
$stmt->close();

if ($passwordHash) {
    if (password_verify($password, $passwordHash) === true) {
        print 'logged in!';
    } else {
        print 'error <br />';
    }
} else {
    print 'error <br />';
}
?>