Shoutout to the YouTube user "mmtuts" because this is basically a copy from his tutorial (at least I learned something) (https://www.youtube.com/watch?v=LC9GaXkdxF8).
This is my first attempt for a website with a login system.
TL;DR: I ran into the problem where not even the correct passwords work with any user (aparently the user is accepted since I had the error "wronguser" aka user not found in the database but then I found my mistakes).
I am running my database using MySQL and Apache (using XAMPP). I've tried to rewrite all the names on the database and the main PHP index where the website is with the login inputs on a modal.
mysqli_stmt_bind_param($stmt, "ss", $mailuid, $mailuid);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if ($row = mysqli_fetch_assoc($result)) {
$pwdCheck = password_verify($password, $row['Password']); <!-- CHECKS IF INSERTED PASSWORD = DATABASE PASSWORD FOR INSERTED USER -->
if ($pwdCheck == false) { <!-- IF PASSWORD DOESN'T MATCH WITH DATABASE PASSWORD FOR INSERTED USER THEN GO TO THIS "WRONG PASSWORD" ERROR PAGE (KEEPS GOING TO THIS PAGE) -->
header("Location: ../index.php?error=password_errada1");
exit();
}
else if($pwdCheck == true) { <!-- IF THE PASSWORD IS CORRECT THEN OPEN SESSION FOR THE INSERTED USER -->
session_start();
$_SESSION['userId'] = $row['idAluno'];
$_SESSION['userUid'] = $row['NumeroAluno'];
$_SESSION['userPrimeiroNome'] = $row['PrimeiroNome'];
$_SESSION['userUltimoNome'] = $row['UltimoNome'];
$_SESSION['userAno'] = $row['Ano'];
$_SESSION['userTurma'] = $row['Turma'];
$_SESSION['userRequisitou'] = $row['Requisitou'];
header("Location: ../index.php?login=login_sucesso");
exit();
}
Looked for answers and tried to fix it for at least 1 hour now. Sorry if my post is going against any rules that I might not know about. I am so done because I know stuff like this it's always a dumb mistake.
EDIT 1: I can provide more code if wanted.
$servername = "localhost";
$dBUsername = "root";
$dBPassword = "";
$dBName = "loginsystem";
$conn = mysqli_connect($servername, $dBUsername, $dBPassword, $dBName);
if (!$conn) {
die("Erro de conexão: ".mysqli_connect_error());
}dbStructure Code:
CREATE TABLE alunos ( idAluno int(11) NOT NULL, NumeroAluno varchar(7) NOT NULL, Password varchar(50) NOT NULL, Email varchar(50) NOT NULL, PrimeiroNome varchar(25) NOT NULL, UltimoNome varchar(25) NOT NULL, Ano int(2) NOT NULL, Turma varchar(8) NOT NULL, Requisitou int(1) NOT NULL DEFAULT '0' ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
</div>
I was saving the passwords manually using the database page and obviously the passwords were getting saved has plain text and not getting hashed, so when I tried to login using my PHP code the inserted password was getting hashed and the hashed password getting compared to the plain text password.
Solved this by creating a signup which creates users with hashed passwords so that the PHP compares HASHED / HASHED and not HASHED - NON-HASHED.
Could be solved aswell by not hashing the password anywhere (unsafe but easy).
Your password is not being hashed.
Try replacing the code
if ($pwdCheck == false)
with
if($password != $row['Password'])
If it works, recheck your script where your password is being hashed.
Thanks.
EDIT 1: Please change the else if part as well, and check again. I don't see any other mistakes.
Replace
else if($pwdCheck == true)
with
else if($password == $row['Password'])
This should probably solve your problem.