Member Avatar for nadiam 
    $username = $_POST['username'];
    $password = $_POST['pass'];

    $query = "SELECT id,name,username,password,status FROM users WHERE username = " . $dbh->quote($username); 
    $result = $dbh->query($query);

    $userData = $result->fetch(PDO::FETCH_ASSOC);
    $userName = $userData['username'];
    $hash = $userData['password'];
    $status = $userData['status'];

    if($username == $userName)
    {
        if(password_verify($password, $hash))
        {
            if($status == 'Request')
            {
                echo "<script>alert(\"You have not been activated. Please contact admin for more info.\")</script>";
            }
            else
            { 
                session_start();
                $_SESSION['sess_user_id'] = $userData['id'];
                $_SESSION['sess_name'] = $userData['name'];
                echo "<script>window.location.href = \"home.php\"</script>";
            }
        }
        else
        {
            echo "<script>alert(\"Incorrect Password!\")</script>";
        }
    }
    else
    {
        echo "<script>alert(\"Incorrect Username!\")</script>";
    }

What i mean by not working is this part :

if($status == $request)
{
   echo "<script>alert(\"You have not been activated. Please contact admin for more info.\")</script>";
}
else
{ 
    session_start();
    $_SESSION['sess_user_id'] = $userData['id'];
    $_SESSION['sess_name'] = $userData['name'];
    echo "<script>window.location.href = \"home.php\"</script>";
}

when I insert the incorrect username and the correct password i get : Incorrect username

when i insert incorrect password and the correct username i get : Incorrect password

When I insert the correct username and password I should get : You have not been activated. Please contact admin for more info. instead i get : Incorrect Password.

what am i missing? help please.

  • 2 Contributors
  • 5 Replies
  • 282 Views
  • 5 Hours Discussion Span
  • Latest Post Latest Post by diafol
Member Avatar for diafol

First of all, perhaps you want to limit the information you give to a user. Don't tell him or her which element is incorrect as this may aid malicious users in their attempt to break into your site. Up to you though.

Also, I'd use a prepared statement instead of quote/query and add a 'LIMIT 1' to the statement, to stop the search of the remainder of the table once username found.

It looks like your password test is wrong.

This is the expected result if you supply the wrong password every time.

CHECK USERNAME - [WRONG - "BAD USERNAME" STOP] OR [CORRECT - CONTINUE]
CHECK PASSWORD - [WRONG - "BAD PW" STOP] OR [CORRECT - CONTINUE]
CHECK STATUS - [=REQUEST - "NOT ACTIVATED"] OR [LOG IN!!]

You're hitting [WRONG - "BAD PW" STOP] every time. The reason you don't see it in your first example (Incorrect username) is that there's another error first.

Check to see that your stored passwords are actually hashed. You did use password_hash() to store them?

Edited by diafol
Member Avatar for nadiam

oh okay.

yes i did. $hash = password_hash($password, PASSWORD_DEFAULT);

Member Avatar for diafol

OK, so copy some pw hashes from your DB (from rows you've created yourself) and test them manually against the known passwords. Have you used options (3rd parameter?)

Member Avatar for nadiam

no 3rd parameter

Member Avatar for diafol

So have you checked yet?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.