I'm trying to build a login system on a website. First, I wrote a file called "userConn.php" which is used to connect with MySQL. The code is shown below:
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '******************');
define('DB_NAME', 'userinfo');
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>
Then I wrote a file called "login.php". This file calls the "userConn.php" file to connect to the database and subsequently, compares the Username and Password entered with the records in the database. If a match is found, a session is started and the user is redirected to the homepage. Before redirecting, a function called "onLogin" is called to issue a token for the username to be used as a rememberme cookie. This function calls another function named "storeTokenForUser" to store the token and the username in a database table. The problem is that the sql statement in the latter function is not storing any data in the database table after a login is made.
The code of "login.php" can be found hereunder:
<?php
// Include config file
require_once 'userConn.php';
// Define variables and initialize with empty values
$username = $password = "";
$username_err = $password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Check if username is empty
if(empty(trim($_POST["username"]))){
$username_err = 'Please enter username.';
} else{
$username = trim($_POST["username"]);
}
// Check if password is empty
if(empty(trim($_POST['password']))){
$password_err = 'Please enter your password.';
} else{
$password = trim($_POST['password']);
}
// Validate credentials
if(empty($username_err) && empty($password_err)){
// Prepare a select statement
$sql = "SELECT username, password FROM users WHERE username = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);
// Set parameters
$param_username = $username;
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Store result
mysqli_stmt_store_result($stmt);
// Check if username exists, if yes then verify password
if(mysqli_stmt_num_rows($stmt) == 1){
// Bind result variables
mysqli_stmt_bind_result($stmt, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)){
/* Password is correct, so start a new session and
save the username to the session */
session_start();
$_SESSION['username'] = $username;
onLogin($username);
header("location: new_homepage.php");
} else{
// Display an error message if password is not valid
$password_err = 'The password you entered was not valid.';
}
}
} else{
// Display an error message if username doesn't exist
$username_err = 'No account found with that username.';
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Close connection
mysqli_close($link);
}
function onLogin($user) {
$token = random_bytes(256); // generate a token, should be 128 - 256 bit
$SECRET_KEY = random_bytes(256);
storeTokenForUser($user, $token);
$cookie = $user . ':' . $token;
$mac = hash_hmac('sha256', $cookie, $SECRET_KEY);
$cookie .= ':' . $mac;
setcookie('rememberme', $cookie);
}
function storeTokenForUser($usernameTok, $tokenvalue){
global $link;
$sql = "INSERT INTO tokens (username, tokenvalue) VALUES ('".$usernameTok."', '".$tokenvalue."')";
$link->query($sql);
}
?>
Can someone give me an explanation of why the SQL in the "storeTokenForUser" function is not working and a solution to repair this?
I tried the code below as well for the "storeTokenForUser" function but it did not work:
function storeTokenForUser($usernameTok, $tokenvalue){
global $link;
$sql = "INSERT INTO tokens (username, tokenvalue) VALUES (?, ?)";
if($stmt = mysqli_prepare($link, $sql)){
mysqli_stmt_bind_param($stmt, "ss", $param_username, $param_token);
$param_username = $usernameTok;
$param_token = $tokenvalue;
mysqli_stmt_execute($stmt);
}
mysqli_stmt_close($stmt);
}