0
    $username = $_POST['username'];
    $password = $_POST['pass'];

    $query = "SELECT id,name,username,password,status FROM users WHERE username = " . $dbh->quote($username); 
    $result = $dbh->query($query);

    $userData = $result->fetch(PDO::FETCH_ASSOC);
    $userName = $userData['username'];
    $hash = $userData['password'];
    $status = $userData['status'];

    if($username == $userName)
    {
        if(password_verify($password, $hash))
        {
            if($status == 'Request')
            {
                echo "<script>alert(\"You have not been activated. Please contact admin for more info.\")</script>";
            }
            else
            { 
                session_start();
                $_SESSION['sess_user_id'] = $userData['id'];
                $_SESSION['sess_name'] = $userData['name'];
                echo "<script>window.location.href = \"home.php\"</script>";
            }
        }
        else
        {
            echo "<script>alert(\"Incorrect Password!\")</script>";
        }
    }
    else
    {
        echo "<script>alert(\"Incorrect Username!\")</script>";
    }

What i mean by not working is this part :

if($status == $request)
{
   echo "<script>alert(\"You have not been activated. Please contact admin for more info.\")</script>";
}
else
{ 
    session_start();
    $_SESSION['sess_user_id'] = $userData['id'];
    $_SESSION['sess_name'] = $userData['name'];
    echo "<script>window.location.href = \"home.php\"</script>";
}

when I insert the incorrect username and the correct password i get : Incorrect username

when i insert incorrect password and the correct username i get : Incorrect password

When I insert the correct username and password I should get : You have not been activated. Please contact admin for more info. instead i get : Incorrect Password.

what am i missing? help please.

2
Contributors
5
Replies
26
Views
2 Years
Discussion Span
Last Post by diafol
0

First of all, perhaps you want to limit the information you give to a user. Don't tell him or her which element is incorrect as this may aid malicious users in their attempt to break into your site. Up to you though.

Also, I'd use a prepared statement instead of quote/query and add a 'LIMIT 1' to the statement, to stop the search of the remainder of the table once username found.

It looks like your password test is wrong.

This is the expected result if you supply the wrong password every time.

CHECK USERNAME - [WRONG - "BAD USERNAME" STOP] OR [CORRECT - CONTINUE]
CHECK PASSWORD - [WRONG - "BAD PW" STOP] OR [CORRECT - CONTINUE]
CHECK STATUS - [=REQUEST - "NOT ACTIVATED"] OR [LOG IN!!]

You're hitting [WRONG - "BAD PW" STOP] every time. The reason you don't see it in your first example (Incorrect username) is that there's another error first.

Check to see that your stored passwords are actually hashed. You did use password_hash() to store them?

Edited by diafol

0

oh okay.

yes i did. $hash = password_hash($password, PASSWORD_DEFAULT);

0

OK, so copy some pw hashes from your DB (from rows you've created yourself) and test them manually against the known passwords. Have you used options (3rd parameter?)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.