Search code examples
phpmysqlauthenticationmysqliuser-accounts

Creating a PHP/MySQL application - all login attempts fail

I'm creating a web application with PHP and MySQL. I have a register/login page set up. I have registered several accounts via the application, and I see the message saying the account has been created successfully, but when I attempt to login, it fails with an "Invalid username or password" error message. When I go to PHPMyAdmin, I can see that all the user accounts are present within the users table, and I can see the usernames and their passwords (the latter is in hashed format). So I don't understand why I can't log in.

This is my login form (in index.php):

<!-- login form -->
    <form method="post" action="php/login.php">
      <div class="form-group">
        <input class="form-control" type="text" name="username" placeholder="Username" required>
      </div>

      <div class="form-group">
        <input class="form-control" type="password" name="password" placeholder="Password" required>
      </div>

      <div class="form-group">
        <input class="btn btn-primary" type="submit" name="login" value="Login">
      </div>
    </form>
 <!-- ./login form -->

and this is login.php:

 <?php
  require_once "../functions.php";

  db_connect();

  $sql = "SELECT id, username, password FROM users WHERE username = ?";

  $statement = $conn->prepare($sql);
  $statement->bind_param('s', $_POST['username']);
  $statement->execute();
  $statement->store_result();
  $statement->bind_result($id, $username, $password);
  $statement->fetch();

  if ($statement->execute()) {
    if(password_verify($_POST['password'], $password)) {
      $_SESSION['user_id'] = $id;
      $_SESSION['user_username'] = $username;
      redirect_to("/home.php");
    } else {
      redirect_to("/index.php?login_error=true");
    }
  } else {
    echo "Error: " . $conn->error;
  }
  ?>

This is the code for the error message (in index.php):

<?php if(isset($_GET['login_error'])): ?>
<div class="alert alert-danger">
  <p>Invalid username or password!</p>
</div>

In the Apache access.log, I can see: 127.0.0.1 - - [26/Aug/2018:14:54:07 +0100] "GET /index.php?login_error=true HTTP/1.1" 200 1230 "http://localhost/index.php?registered=true" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"

Solution

  • I managed to find what was causing the problem. When I originally created the users table in the database, I set the maximum number of characters for the password field to 40. I didn't take into consideration that the hashed versions of the passwords are likely to be longer than 40 characters. Once I increased the limit from 40 to a much higher value and created a new account, I was able to log in successfully.