1
When I try to log in:
if I use the wrong username and password, only the contents of the
header
and offooter
.if I use the correct username and password, the login does not recognize the user:
"Wrong username and password".<?php $page = 'Login'; session_start(); include 'header.php'; if(isset($_SESSION['username'])){ header('location: control-painel.php'); } else{ $user_error = ''; $pass_error = ''; $login_error = ''; if(isset($_POST['login'])){ $username = $mysqli -> $_POST['username']; $password = $mysqli -> $_POST['password']; $cost = '11'; $salt = 'Cf1f11ePArKlBJomM0F6aJ'; $password_hash = crypt($password, '$2a$' . $cost . '$' . $salt . '$'); $id = 0; if(empty($username)){ $user_error = 'Please insert a username'; } if(empty($password)){ $pass_error = 'Please insert a password'; } if(!empty($username) && !empty($password)){ $stmt = $mysqli -> prepare('SELECT id FROM user WHERE username = ? AND password = ?'); $stmt -> bind_param("ss", $username, $password_hash); $stmt -> execute(); $stmt -> bind_result($id); $stmt -> fetch(); if($id){ $login_error = 'Wrong username and password combination'; } } } if(empty($user_error)&& empty($pass_error)&& empty($login_error)&& isset($_POST['login'])){ $stmt = $mysqli -> prepare('SELECT id FROM user WHERE username = ? AND password = ?'); $stmt -> bind_param("ss", $username, $password_hash); $stmt -> execute(); $stmt -> bind_result($id); $stmt -> fetch(); if($id){ session_start(); $_SESSION['username'] = $username; header('location: control-painel.php'); } } else{ ?> <div class="message"> <br><br> <?php echo $user_error; ?><br><br> <?php echo $pass_error; ?><br><br> <?php echo $login_error; ?><br><br> <br><br> </div> <div id="form" class="bradius"> <div class="content"> <form method="post"> <label>Username: </label> <input type="text" name="username" class="text bradius"> <label>Password: </label> <input type="password" name="password" class="text bradius"> <input type="submit" class="submitbutton bradius" name="login" value="Login"> </form> </div>
<?php } } include "footer.php"; ?>
Check out this post: http://blog.thiagobelem.net/encryptando-passwords- no-php-usando-bcrypt-blowfish/
– Thiago
I’ve seen him before but I don’t understand the verification part.
– Lukaz11
You encrypt the password typed in login exactly the same way you did in signup (in the registration) and makes a simple comparison.
– Maniero
Get this message from where? Nothing you posted indicates that this should happen. Post something else that might give us a better idea of what you’ve done.
– Maniero
To test, just try taking the value of the field
password
, print it and print the$password_hash
to have a visual assessment of the difference between them. You are sure that you are creating the$password_hash
exactly like the register?– Maniero
You are using a variable called
$password_hash
, I imagined she’d been hashada exactly as on the record, as I said before. If she is savingsenha321
you have a pure password, not a hash of a password. Apparently$2a11$Cf1f11ePArKlBJomM0F6aJ$
is a hash of one password, then you have to compare with another hash and not with a pure password.– Maniero
You edited the question, but reversed the IF I put in the answer. Besides being with duplicate code unnecessarily. What I put in the question is enough, just small adjustments in the variables only. Pay attention in the IF of the original answer. Logged in is inside the IF, and wrong password inside the ELSE, not in the IF as you did. And in addition you are mixing the escape string with the bind, so you will have validation problems.
– Bacco
@Lukaz11 made some more adjustments to the code, remember to update there.
– Bacco