I cannot get my login form to connect interact properly with mySQL database [closed]

Solution 1:

This answer is for hashing, password_hash(), and password_verify(). For both mysqli and pdo. The link at the bottom has further links and some language about salts and the like.

It is crucial to not use user-supplied data directly with selects and inserts. Rather, bind parameters and call prepared statements to Avoid sql injection attacks. Passwords should never be saved in the clear (cleartext) in databases. Rather, they should be sent through one-way hashes.

Also note. This is showing registration hashing and login verify. It is not full blown functionality I am trying to hock on codecanyon for ten bucks ... such that it shows a re-registration of an email address (the login) already exists, does updates, mind you. In that case the insert will simply fail due to the unique key set in place in the db. I leave that to you, the reader, to do the lookup, and say 'email already registered.'

Schema

CREATE TABLE `user_accounts2` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `email` varchar(100) NOT NULL,
  `password` varchar(255) NOT NULL,
  PRIMARY KEY (`id`),
  unique key(email) -- that better be the case
) ENGINE=InnoDB;

After running through register.php and saving a user, the data might look like this:

select * from user_accounts2;
+----+-----------+--------------------------------------------------------------+
| id | email     | password                                                     |
+----+-----------+--------------------------------------------------------------+
|  1 | [email protected]   | $2y$10$U6.WR.tiOIYNGDWddfT7kevJU8uiz8KAkdxXpda9e1xuplhC/eTJS |
+----+-----------+--------------------------------------------------------------+

mysqli section first

register.php

<?php
    mysqli_report(MYSQLI_REPORT_ALL);
    error_reporting(E_ALL); // report all PHP errors
    ini_set("display_errors", 1); // display them
    session_start();

    if(isset($_SESSION['userid'])!="") {
        // you are already logged in as session has been set
        header("Location: safe.php");   // note that this re-direct will at the top of that page
        // ... and there to verify the session state so no tricks can be performed
        // no tricks and gimmicks
    }

    if(isset($_POST['register'])) {
        $email = $_POST['email'];
        $ctPassword = $_POST['password'];   // cleartext password from user
        $hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password using cleartext one

        // pretend the following is locked in a vault and loaded but hard coded here
        $host="yourhostname";
        $dbname="dbname";
        $user="dbuser";
        $pwd="password";
        $port=3306; // comes along for the ride so I don't need to look up param order below
        // end pretend

        try {
            $mysqli= new mysqli($host, $user, $pwd, $dbname,$port);
            if ($mysqli->connect_error) {
                die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error);
            }
            //echo "I am connected and feel happy.<br/>";
            $query = "INSERT INTO user_accounts2(email,password) VALUES (?,?)";
            $stmt = $mysqli->prepare($query);

            // note the 2 s's below, s is for string
            $stmt->bind_param("ss", $email,$hp);    // never ever use non-sanitized user supplied data. Bind it
            $stmt->execute();
            // password is saved as hashed, will be verified on login page with password_verify()
            $iLastInsertId=$mysqli->insert_id;  // do something special with this (or not)
            // redirect to some login page (for now you just sit here)
            $stmt->close(); 
            $mysqli->close();
        } catch (mysqli_sql_exception $e) { 
            throw $e; 
        } 
    }
?>
<html>
<head>
<title>Register new user</title>
</head>
<body>
<div id="reg-form">
<form method="post">
    <table>
        <tr>
        <td><input type="email" name="email" placeholder="Email" required /></td>
        </tr>
        <tr>
        <td><input type="password" name="password" placeholder="Password" required /></td>
        </tr>
        <tr>
        <td><button type="submit" name="register">Register</button></td>
        </tr>
        <tr>
        <td><a href="index.php">Normal Login In Here</a></td>
        </tr>
    </table>
</form>
</div>
</body>
</html>

login.php

<?php
    mysqli_report(MYSQLI_REPORT_ALL);
    error_reporting(E_ALL); // report all PHP errors
    ini_set("display_errors", 1); // display them
    session_start();

    if(isset($_SESSION['userid'])!="") {
        // you are already logged in as session has been set
        header("Location: safe.php");   // note that this re-direct will at the top of that page
        // ... and there to verify the session state so no tricks can be performed
        // no tricks and gimmicks
    }

    if(isset($_POST['login'])) {
        $email = $_POST['email'];
        $ctPassword = $_POST['password'];   // cleartext password from user

        // pretend the following is locked in a vault and loaded but hard coded here
        $host="yourhostname";
        $dbname="dbname";
        $user="dbuser";
        $pwd="password";
        $port=3306; // comes along for the ride so I don't need to look up param order below
        // end pretend

        try {
            $mysqli= new mysqli($host, $user, $pwd, $dbname,$port);
            if ($mysqli->connect_error) {
                die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error);
            }
            //echo "I am connected and feel happy.<br/>";
            $query = "select id,email,password from user_accounts2 where email=?";
            $stmt = $mysqli->prepare($query);

            // note the "s" below, s is for string
            $stmt->bind_param("s", $email); // never ever use non-sanitized user supplied data. Bind it
            $stmt->execute();
            $result = $stmt->get_result();
            if ($row = $result->fetch_array(MYSQLI_ASSOC)) {
                $dbHashedPassword=$row['password'];
                if (password_verify($ctPassword,$dbHashedPassword)) {
                    echo "right, userid=";
                    $_SESSION['userid']=$row['id'];
                    echo $_SESSION['userid'];
                    // redirect to safe.php (note safeguards verbiage at top of this file about it)
                }
                else {
                    echo "wrong";
                    // could be overkill here, but in logout.php
                    // clear the $_SESSION['userid']
                }
            }
            else {
                echo 'no such record';
            }
            // remember, there is no iterating through rows, since there is 1 or 0 (email has a unique key)
            // also, hashes are one-way functions in the db. Once you hash and do the insert
            // there is pretty much no coming back to cleartext from the db with it. you just VERIFY it

            $stmt->close(); 
            $mysqli->close();
        } catch (mysqli_sql_exception $e) { 
            throw $e; 
        } 
    }
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<div id="reg-form">
<form method="post">
    <table>
        <tr>
        <td><input type="email" name="email" placeholder="Email" required /></td>
        </tr>
        <tr>
        <td><input type="password" name="password" placeholder="Password" required /></td>
        </tr>
        <tr>
        <td><button type="submit" name="login">Login</button></td>
        </tr>
    </table>
</form>
</div>
</body>
</html>

pdo section below

When I have time, probably tomorrow, but for now I point you to this Answer of mine.