Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by karthikkn
karthikkn
5,397 Points

How to verify password_verify function in login form

Registration page

 <?php require_once 'includes/session.php';?>
 <?php require_once 'includes/db.php'; ?>
  <?php require_once 'functions.php'; ?>
  <?php
   if (isset($_POST['submit'])) {
    $required_field = array("email", "password", "firstname", "lastname");
    validate_presences($required_field);

    if (empty($errors)) {
        $email = mysqli_real_escape_string($connection, $_POST['email']);
        $password = password_hash($_POST['password'], PASSWORD_BCRYPT);
        $firstname = mysqli_real_escape_string($connection, $_POST['firstname']);
        $lastname = mysqli_real_escape_string($connection, $_POST['lastname']);

        $query = "INSERT INTO users (email, password, firstname, lastname) VALUES ('$email', '$password', '$firstname', '$lastname')";
        $result = mysqli_query($connection, $query);
        if (!$result) {
            echo "Email already exists";
        } else {
            echo 'pass';
        }
    }

      }


         ?>

   <!DOCTYPE html>
   <html>
   <head>
<title>hillspeak</title>
   </head>
    <body>
<h2>Register here</h2>
<?php echo form_errors($errors); ?>
<form action="" method="post">
    Email: <input type="email" name="email"><br> 
    Password: <input type="password" name="password"><br>
    First Name: <input type="text" name="firstname"><br>
    Last Name: <input type="text" name="lastname"><br>
    <input type="submit" name="submit" value="register">
</form>
   </body>
   </html>

Login page

   <?php require_once 'includes/session.php';?>
   <?php require_once 'includes/db.php'; ?>
   <?php require_once 'functions.php'; ?>
   <?php
        if (isset($_POST['submit'])) {
    $required_fields = array("email", "password");
    validate_presences($required_fields);

    if (empty($errors)) {
        $email = mysqli_real_escape_string($connection, $_POST['email']);
        $password = $_POST['password'];
        $query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";
        $result = $connection->query($query);

        $row = mysqli_num_rows($result);
        if ($row == 1) {
            echo 'found';
         }  else {
            echo "not found";
         }

        }
     }

    ?>
  <!DOCTYPE html>
    <html>
    <head>
<title>hillspeak</title>
    </head>
     <body>
         <h2>Log In</h2>
         <?php echo form_errors($errors); ?>
        <form action="" method="post">
           Email: <input type="text" name="email"><br>
           Password: <input type="password" name="password"><br>
       <input type="submit" name="submit" value="Login">
          </form>
     <a href="register.php">Register</a>
       </body>
        </html>
Stefan Hoffmann
Stefan Hoffmann
24,811 Points

Hello !

Your question is not clear. Anyway, in your registration form there is an error. You insert a new user even after finding out, that a user with that email address already exists.

Depending on your mysql configuration you may have a problem in your password check. You can try this out by entering your password in different upper- and lowercase alternatives. You'll see that 'PASSword' = 'passWORD' in mysql.

To find out more and how to get around this problem, look it up here: https://dev.mysql.com/doc/refman/5.0/en/charset-binary-op.html

Greetings, Stefan

3 Answers

karthikkn
karthikkn
5,397 Points
karthikkn
karthikkn
5,397 Points

hi Stefan Hoffmann, Thanks for reply i have made email field unique in database, I have found the problem, I will try to find a solution to that problem, Thanks for reply.

Stefan Hoffmann
Stefan Hoffmann
24,811 Points
Stefan Hoffmann
Stefan Hoffmann
24,811 Points

Hello again,

another thing: 

        $password = $_POST['password'];
        $query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";

You are open to SQL Injection at this point, because you do not escape $password properly. One could easily use " ' OR 1=1 OR ' "AS Password to log in as every user whose emailadress is known.

karthikkn
karthikkn
5,397 Points
karthikkn
karthikkn
5,397 Points

Hi, thanks for your help i have changed my login password field to $_POST['password'] to mysqli_real_escape_string($connection, $_POST['password']);