Member Avatar for Ts91

Hi Guys!

So im making a small application based around a basic mvc structure. I have three folders: Model, View and Controller
The view code is:

<?php
session_start();
require_once('../Controller/loginController.php');
?>
<!DOCTYPE HTML>
<html>
 <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <title>Energy Checker: Login</title>
</head>

<body>

  <div class="formLogin">
   <h2>Login to your account</h2>
   <form id="loginfrm" method="post">

     <?php
     if(isset($error))
     {
      ?>
      <div class="loginAlert">
      <?php echo $error; ?>
    </div>
    <?php
  }
  ?>

  <label>Username: </label>
  <input type="text" name ="txtUsername"placeholder="Username" required/>
  <label>Password: </label>
  <input type="password" name ="txtPassword" placeholder="Password"required/>
  <br>


  <input type="submit" name="btn-login" value="Login">
</form>
</div>
</body>
</html>

The controller code is:

   <?php
    require_once('config.php');
    require_once('../Model/loginModel.php');

$user = new Login();

if(isset($_POST['btn-login']))
{
    $Username = strip_tags($_POST['txtUsername']);
    $Password = strip_tags($_POST['txtPassword']);

    if($user->getLogin($Username,$Password))
    {
        $user->redirect('../View/calculator.php');
    }
    else
    {
        $error = "Wrong Details!";
    }   
}

?>

and the model code is:

<?php
require_once('../Controller/config.php');

class Login
{

private $dbconn;

    public function __construct()
    {
        $database = new Database();
        $db = $database->dbConnection();
        $this->dbconn = $db;
    }

    public function getLogin($Username,$Password)
    {
        try
        {
            $stmt = $this->dbconn->prepare("SELECT * FROM users WHERE Username=:user");
            $stmt->execute(array(':user'=>$Username));
            $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
            if($stmt->rowCount() == 1)
            {
                if(password_verify($Password, $userRow['Password']))
                {
                    $_SESSION['user_session'] = $userRow['Username'];
                    return true;
                }
                else
                {
                    return false;
                }
            }
        }
        catch(PDOException $e)
        {
            echo $e->getMessage();
        }
    }
}

?>

For some reason, whenever i enter details into the login form even if theyre correct i get the "Wrong details" error and im not sure why.
Any help will be appreciated.

  • 3 Contributors
  • 4 Replies
  • 180 Views
  • 2 Hours Discussion Span
  • Latest Post Latest Post by Ts91
Member Avatar for pritaeas

Did you check what the password_verify function actually does? Do you have the correct hash stored in your user record?

Edited by pritaeas
Member Avatar for diafol 
 $stmt = $this->dbconn->prepare("SELECT * FROM users WHERE Username=:user");
        $stmt->execute(array(':user'=>$Username));
        $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
        if($stmt->rowCount() == 1)
        {
            if(password_verify($Password, $userRow['Password']))
            {
                $_SESSION['user_session'] = $userRow['Username'];
                return true;
            }
            else
            {
                return false;
            }
        }

This looks a little shambly. Don't use PDO rowCount() on SELECT queries - read the manual - there are workarounds for this. If there are two accounts with the same Username (which there shouldn't be obviously), this will fail (rowCount = 2). I'd use the LIMIT clause to force a stop on the search once a Username was found. Also if you just need the username and the user id:

"SELECT id, Username FROM users WHERE Username=? LIMIT 1"

So...

if($userRow=$stmt->fetch(PDO::FETCH_ASSOC)) {
      if(password_verify($Password, $userRow['Password'])) {
                $_SESSION['user_session'] = $userRow['Username'];
                return true;
       }
  }
  return false;
Edited by diafol
commented: Managed to fix it +0
Member Avatar for Ts91

@pritaeas Yeah my bad i realised i didnt have the correct hash value stored in my database. I just need to edit my register form to hash the values before theyre inserted and hopefully that should fix the problem

@Diafol Im more used to working with MySQLi and fairly new to PDO but thanks for the workaround.

Member Avatar for Ts91

It still doesnt seem to work.
Just says "Wrong Details!"

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.