PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Nov 14, 2018 1:40 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Sep 15, 2017 5:30 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
Php Gurus,

I get this error when trying to login to member account:

Fatal error: Uncaught TypeError: password_verify() expects parameter 2 to be string, null given in C:\xampp\htdocs\e_id\login.php:77 Stack trace: #0 C:\xampp\htdocs\e_id\login.php(77): password_verify('password', NULL) #1 {main} thrown in C:\xampp\htdocs\e_id\login.php on line 77


login.php
Syntax: [ Download ] [ Hide ]
<?php
 
/*
ERROR HANDLING
*/

declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
 
include 'config.php';
 
// check if user is already logged in
if (is_logged() === true)
{
        //Redirect user to homepage page after 5 seconds.
        header("refresh:2;url=home.php");
        exit; //Added it so script runs no further if user is logged-in.
}


if ($_SERVER['REQUEST_METHOD'] == "POST")
{
        if (isset($_POST["login_username_or_email"]) && isset($_POST["login_password"]))
        {
                $username_or_email = trim($_POST["login_username_or_email"]); // I rid the mysqli_real_escape_string based on Mac_Guyver's suggestion.
                $password = $_POST["login_password"];
                $hashed_password = password_hash($password, PASSWORD_DEFAULT);
         
                //Select Username or Email to check against Mysql DB if they are already registered or not.
                $stmt = mysqli_stmt_init($conn);
               
                /* From reg.php
                $stmt = mysqli_prepare($conn, "SELECT usernames, emails FROM users WHERE usernames = ? OR emails = ?");
                mysqli_stmt_bind_param($stmt, 'ss', $username, $email_confirmation);
                mysqli_stmt_execute($stmt);
                $result = mysqli_stmt_get_result($stmt);
               
                $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
                */

               
        if(strpos("$username_or_email", "@") === true)
                {
                        $email = $username_or_email;
                        $username = "";
                        $stmt = mysqli_prepare($conn, "SELECT emails FROM users WHERE emails = ?");                    
                        mysqli_stmt_bind_param($stmt, 's', $email);
                }
                else
                {
                        $username = $username_or_email;
                        $email = "";
                        $stmt = mysqli_prepare($conn, "SELECT usernames FROM users WHERE usernames = ?");
                        mysqli_stmt_bind_param($stmt, 's', $username);                 
                }              
                mysqli_stmt_execute($stmt);
                $result = mysqli_stmt_get_result($stmt); //Use either this line, or ...
                //$result = mysqli_stmt_bind_result($stmt, $db_username); // ... this line. But not both.
 
                $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
                printf("%s (%s)\n",$row["usernames"],$row["passwords"]);
                var_dump($row);
               
                // Check if inputted Username or Email is registered or not.
                //Either type following paragraph or the next one but not both. Ask in forum which one is best.
 
                // PARAGRAPH 1
                       
                if (!$result) // either this paragraph or ...
                {
                        echo "Paragraph 1: Incorrect User Credentials!";
                        echo "Username/Email did not match!<br>"; //echo for debugging purpose. Remove from release version
                        echo "Username/Email $username_or_email<br>"; //echo for debugging purpose. Remove from release version
                        exit;                          
                }
                elseif (password_verify($password, $row['passwords']))
                {
                        if($row['accounts_activations_statuses'] == '0')
                        {
                                echo "Paragraph 1: You have not activated your account yet! Check your email for instructions on how to activate it. Check your spam folder if you don't find an email from us.";
                                exit;
                        }
                }
                else
                {
                        //If 'Remember Me' check box is checked then set the cookie.
                        if(!empty($_POST["login_remember"])) // Either use this line ....
                        //if (isset($_POST['login_remember']) && $_post['login_remember'] == "on") // ...or this line. But not both!
                        {
                                setcookie("login_username", $username, time()+ (10*365*24*60*60));
                        }
                        else
                        {
                                //If Cookie is available then use it to auto log user into his/her account!
                                if (isset($_COOKIE['login_username']))
                                {
                                        setcookie("login_username","","");
                                }
                        }
                $_SESSION["user"] = $username;
                header("location:home.php?user=$username");                            
                }                      
        }
}
       
?>

<!DOCTYPE html>
<html>
<head>
<title><?php $site_name?> Member Login Page</title>
  <meta charset="utf-8">
</head>
<body>
<div class = "container">
<form method="post" action="">
<center><h3><?php $site_name ?> Member Login Form</h3></center>
<div class="text-danger">
<div class="form-group">
<center><label>Username/Email:</label>
<input type="text" placeholder="Enter Username" name="login_username_or_email" value="<?php if(isset($_COOKIE["login_username_or_email"])) echo $_COOKIE["login_username_or_email"]; ?>"</center>
</div>
<div class="form-group">
<center><label>Password:</label>
<input type="password" placeholder="Enter password" name="login_password" value="<?php if(isset($_COOKIE["login_password"])) echo $_COOKIE["login_password"]; ?>"></center>
</div>
<div class="form-group">
<center><label>Remember Login Details:</label>
<input type="checkbox" name="login_remember" /></center>
</div>
<div class="form-group">
<center><input type="submit" name="login_submit" value="Login" class="button button-success" /></center>
</div>
<div class="form-group">
<center><font color="red" size="3"><b>Forgot your password ?</b><br><a href="login_password_reset.php">Reset it here!</a></font></center>
<center><font color="red" size="3"><b>Not registered ?</b><br><a href="register.php">Register here!</a></font></center>
</form>
</div>
</body>
</html>


If you want to see the registration.php then look here:
http://forums.devnetwork.net/viewtopic.php?f=1&t=144266&p=709735#p709735

Thank you.


Last edited by requinix on Sat Sep 16, 2017 12:29 am, edited 1 time in total.
use [syntax=php] tags instead of [php]


Top
 Profile  
 
PostPosted: Sat Sep 16, 2017 1:14 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13583
Location: New York, NY, US
The error message says $row['passwords'] is null. Find out why and you can solve the problem. Is it the right field name?
Syntax: [ Download ] [ Hide ]
                elseif (password_verify($password, $row['passwords']))
 

_________________
(#10850)


Top
 Profile  
 
PostPosted: Sat Sep 16, 2017 4:26 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
Chris,

That is the problem. The "passwords" column has atleast got one entry. It is not blank. So, why getting this error ?


Top
 Profile  
 
PostPosted: Sat Sep 16, 2017 4:56 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
I switched this:
password_verify($password, $row['passwords']);
To this:
password_verify($password, (string)$row['passwords']);

And this error is gone:
"Fatal error: Uncaught TypeError: password_verify() expects parameter 2 to be string, null given in C:\xampp\htdocs\e_id\login.php:77
Stack trace:
#0 C:\xampp\htdocs\e_id\login.php(77): password_verify('password', NULL)
#1 {main} thrown in C:\xampp\htdocs\e_id\login.php on line 77".

But should the code really be like that by Type Casting the password_verify 2nd param ?


Top
 Profile  
 
PostPosted: Sun Sep 17, 2017 6:32 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
UniqueIdeaMan wrote:
The "passwords" column has atleast got one entry. It is not blank. So, why getting this error ?

Check your query, then. Maybe it's not returning any rows. Maybe there's a typo in column name. PHP isn't lying to you. If it says the argument is null, then it's null.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Sun Sep 17, 2017 8:07 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
Celauran wrote:
UniqueIdeaMan wrote:
The "passwords" column has atleast got one entry. It is not blank. So, why getting this error ?

Check your query, then. Maybe it's not returning any rows. Maybe there's a typo in column name. PHP isn't lying to you. If it says the argument is null, then it's null.


I did an extensive testing for hrs now trying different things. I realize now that the hashed pass keeps changing.
I mean, when I registered the password "student3", it got hashed and saved into db as:
$2y$10$UEkZFOvKLIfvsvZvDUtmPuRIorn6fH5op1tT/E40HPs
column name: passwords.

Now, when I try logging in with pass "student", the password verification fails:
if (password_verify($password, (string)$row['passwords'])).

And so, I changed that line of the code to:
if ($hashed_password == $db_password)// Here, during login, the $hashed_password is getting generated from the variable $password).

And guess what ? The following is showing as FALSE:
if ($hashed_password == $db_password);

Meaning, during login, when I type the $password, it got encrypted: $hashed_password.
And then I checked that $hashed_password against the db_hashed_password (hash in db) and there is no match.

$hashed_password =$2y$10$FSP/h40Uk0RI.Lx0rJEMFOsowqGEuM.qe1l3mv7E7sWJKlWzzhfFe
db_$hashed_password =$2y$10$UEkZFOvKLIfvsvZvDUtmPuRIorn6fH5op1tT/E40HPs

That is the big problem. Now, why is the script hashing it to one thing during registration and hashing it to another during login ?

Here is the update:

Syntax: [ Download ] [ Hide ]
<?php
 
/*
ERROR HANDLING
*/

declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
 
include 'config.php';
 
// check if user is already logged in
if (is_logged() === true)
{
        //Redirect user to homepage page after 5 seconds.
        header("refresh:2;url=home.php");
        exit; //
}


if ($_SERVER['REQUEST_METHOD'] == "POST")
{
        if (isset($_POST["login_username_or_email"]) && isset($_POST["login_password"]))
        {
                $username_or_email = trim($_POST["login_username_or_email"]); //
                $password = $_POST["login_password"];
                $hashed_password = password_hash($password, PASSWORD_DEFAULT);
         
                //Select Username or Email to check against Mysql DB if they are already registered or not.
                $stmt = mysqli_stmt_init($conn);
               
        if(strpos("$username_or_email", "@") === true)
                {
                        $email = $username_or_email;
                        $username = "";
                       
                        $query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE emails = ?";
                        // i = integer; s = string; d = double; b = blob.
                        $stmt = mysqli_prepare($conn, $query);                 
                        mysqli_stmt_bind_param($stmt, 's', $email);
                        mysqli_stmt_execute($stmt);
                    //$result = mysqli_stmt_get_result($stmt); //Use either this line (if you need to get all data of the array without associating them to variables like you do with mysqli_stmt_bind_result), or ...
                        //Note from line below that the variables "$db_username", "$db_account_activation_status" are related to the tbl columns selected on $query ("SELECT ids, usernames, accounts_activations_statuses From users .. WHERE).
                        $result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // ... this line. But not both.
                }
                else
                {
                        $username = $username_or_email;
                        $email = "";
                        // Forumal from vid: Php With Mysql Essential: 093 Introducing Prepared Statements
                        $query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE usernames = ?";
                        // i = integer; s = string; d = double; b = blob.
                        $stmt = mysqli_prepare($conn, $query);
                        mysqli_stmt_bind_param($stmt, 's', $username);
                        mysqli_stmt_execute($stmt);
                        //$result = mysqli_stmt_get_result($stmt); //Use either this line (if you need to get all data of the array without associating them to variables like you do with mysqli_stmt_bind_result), or ...
                        //Note from line below that the variables "$db_email", "$db_account_activation_status" are related to the tbl columns selected on $query ("SELECT ids, emails, accounts_activations_statuses From users .. WHERE).
                        $result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // ... this line. But not both.#
                }              
               
                //$rownums = mysqli_num_rows($result); // To get number of row matches
                //Which of the following to do and why that one over others ?
                $row = mysqli_stmt_fetch($stmt);
                //$row = mysqli_fetch_array($query, MYSQLI_ASSOC);
                //$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
               
                mysqli_stmt_close($stmt);
               
                printf("%s (%s)\n",$row["usernames"],$row["passwords"]);
                var_dump($row); //On test, this showing as: () bool(true);
                var_dump($result); //On test, this showing as: () bool(true);
               
                if ($result == false)
                {
                        echo "'$result == false' on line 79! Incorrect User Credentials 1!<br>";
                        echo "Id from db: $db_id<br>";
                        echo "Email from db: $db_email<br>";
                        echo "Username from db: $db_username<br>";
                        echo "Hash: $hashed_password<br>";
                        echo "Account Activation Status from db: $db_account_activation_status<br>";
                        exit();
                }
                elseif ($row['accounts_activations_statuses'] == '0')
                {
                        {
                                echo "You have not activated your account yet! Check your email for instructions on how to activate it.
                                Check your spam folder if you don't find an email from us."
;
                                exit();
                        }
                }
                else
                {
                        echo "Else got triggered on line 98! That means 'result = TRUE'!<br>";//This ELSE is getting triggered on the test. That means $result = TRUE;
                        echo "Id from db: $db_id<br>";
                        echo "Email from db: $db_email<br>";
                        echo "Username from db: $db_username<br>";
                        echo "Password hash: $hashed_password<br>";
                        echo "Password from db: $db_password<br>";
                        echo "Account Activation Status from db: $db_account_activation_status<br>";
                }
               
                if (password_verify($password, (string)$row['passwords']))
                {
                        //If 'Remember Me' check box is checked then set the cookie.
                        if(!empty($_POST["login_remember"])) // Either use this line ....
                        //if (isset($_POST['login_remember']) && $_post['login_remember'] == "on") // ...or this line. But not both!
                        {
                                setcookie("login_username", $username, time()+ (10*365*24*60*60));
                        }
                        else
                        {
                                //If Cookie is available then use it to auto log user into his/her account!
                                if (isset($_COOKIE['login_username']))
                                {
                                        setcookie("login_username","","");
                                }
                        }
                        $_SESSION["user"] = $username;
                        header("location:home.php?user=$username");                            
                }
                else
                {
                        echo "Else got triggered on line 124 stating: Incorrect User Credentials 2! That means 'password_verify = FALSE';<br>";
                        echo "Id from db: $db_id<br>";
                        echo "Email from db: $db_email<br>";
                        echo "Username from db: $db_username<br>";
                        echo "Hash: $hashed_password<br>";
                        echo "Password from db: $db_password<br>";
                        echo "Account Activation Status from db: $db_account_activation_status<br>";
                        exit();
                }
        }
}
       
?>

<!DOCTYPE html>
<html>
<head>
<title><?php $site_name?> Member Login Page</title>
  <meta charset="utf-8">
</head>
<body>
<div class = "container">
<form method="post" action="">
<center><h3><?php $site_name ?> Member Login Form</h3></center>
<div class="text-danger">
<div class="form-group">
<center><label>Username/Email:</label>
<input type="text" placeholder="Enter Username" name="login_username_or_email" value="<?php if(isset($_COOKIE["login_username_or_email"])) echo $_COOKIE["login_username_or_email"]; ?>"</center>
</div>
<div class="form-group">
<center><label>Password:</label>
<input type="password" placeholder="Enter password" name="login_password" value="<?php if(isset($_COOKIE["login_password"])) echo $_COOKIE["login_password"]; ?>"></center>
</div>
<div class="form-group">
<center><label>Remember Login Details:</label>
<input type="checkbox" name="login_remember" /></center>
</div>
<div class="form-group">
<center><input type="submit" name="login_submit" value="Login" class="button button-success" /></center>
</div>
<div class="form-group">
<center><font color="red" size="3"><b>Forgot your password ?</b><br><a href="login_password_reset.php">Reset it here!</a></font></center>
<center><font color="red" size="3"><b>Not registered ?</b><br><a href="register.php">Register here!</a></font></center>
</form>
</div>
</body>
</html>

 


Top
 Profile  
 
PostPosted: Mon Sep 18, 2017 5:11 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
The auto-generated salt is going to be different every time you run password_hash, so you'll get different hashes out. This is a good thing. It does, however, mean you can't compare two hashes of the same password. You need to use password_verify

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Mon Sep 18, 2017 6:40 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
Celeraun,

I did use password_verify. Look at my previous post on my 1st attempt in the test out of 2 attempts.
Thanks for telling me the alt changes everytime. Was not aware of it. :)


Top
 Profile  
 
PostPosted: Mon Sep 18, 2017 6:54 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
How do I output what password the password_verify function is getting so I can check what it is getting with what is in the db ?


Top
 Profile  
 
PostPosted: Mon Sep 18, 2017 8:19 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
UniqueIdeaMan wrote:
Celeraun,

I did use password_verify. Look at my previous post on my 1st attempt in the test out of 2 attempts.
Thanks for telling me the alt changes everytime. Was not aware of it. :)

Yes I can see you were using it. That was never the problem. I was pointing out that you need to continue to use it. The problem is and has been with the data being passed to it.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Mon Sep 18, 2017 8:20 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
UniqueIdeaMan wrote:
How do I output what password the password_verify function is getting so I can check what it is getting with what is in the db ?

Step debugging if you have that set up. var_dump if you don't.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Mon Sep 18, 2017 5:40 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
So, how do I var_dump this:

Code:
if (password_verify($password, (string)$row['passwords'])==true)


Which one of the following is correct, if any ?

var_dump($password);
var_dump($row);
var_dump($row['passwords']);
var_dump((string)$row['passwords']);


Top
 Profile  
 
PostPosted: Thu Sep 21, 2017 5:20 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
Sorry, Celeraun.
I had forgotten that I opened a thread here. Otherwise I never would have opened a duplicate here:
viewtopic.php?f=1&t=144290

Frankly, first do delete that thread instead of locking it and then delete this post so no reference to it exists online.


Last edited by UniqueIdeaMan on Wed Oct 04, 2017 8:59 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Sep 21, 2017 6:13 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
As for why I did not query for the Password at the beginning alongside the Username and why I am querying for the Username/Email on the 1st attempt and Password on the 2nd attempt. Well if you read posts 13 & 17 (by Psycho) then you might understand why.
https://forums.phpfreaks.com/topic/304950-fatal-error-uncaught-mysqli-sql-exception/
Infact, read the original post there first or you won't understand the full context of the discussion. Let me know if you agree or disagree with Psycho there. I've got feed-back now that it is bad advice and internet is full of it. But, I want your opinion here too.

I agree not all advice found on the internet is sound. I have found this true when Users at phpfreaks.com and maybe codingforums started pointing out that the sample codes from stackoverflow.com are buggy.
Buggy codes found here:
https://stackoverflow.com/questions/32522192/check-if-an-array-element-is-in-a-string

Anyway, I started believing Psycho in phpfreaks.com (not sure if he is right or wrong but let's see what pros (you included) say in both this forum and others) and that is why my current code is structured to query the Username/Email & Password in 2 separate attempts after I failed to get it to query it in a single attempt after adding PREP STMTS.
I did manage it in a single attempt on the NON-PREP STMT once upon a time. But, when I started adding the PREP STMT the trouble started.
If you check the 1st post there then you will see an attempt was made to check for Username/Email & Password on 1st attempt but it failed. And so, my current code took the turn towards Pycho's advice to make the query in 2 separate attempts instead.
Finally, don't forget to give your professional opinion on how the code should be where on the 1st attempt the query checks if there is a Username/Email & Password match or not..
Anyone else are welcome too!

AIM:
I am trying to create a Login system where the user can login to his account by either typing his Username or Email and Password. Like you do with your Youtube account.

Remember this showed error:

Code:
if (password_verify($password, $row['passwords']))


Fatal error: Uncaught TypeError: password_verify() expects parameter 2 to be string, null given in C:\xampp\htdocs\e_id\login.php:77 Stack trace: #0 C:\xampp\htdocs\e_id\login.php(77): password_verify('password', NULL) #1 {main} thrown in C:\xampp\htdocs\e_id\login.php on line 77

Therefore, I switched this:
password_verify($password, $row['passwords']);
To this:
password_verify($password, (string)$row['passwords']);

And this error is gone:
"Fatal error: Uncaught TypeError: password_verify() expects parameter 2 to be string, null given in C:\xampp\htdocs\e_id\login.php:77
Stack trace:
#0 C:\xampp\htdocs\e_id\login.php(77): password_verify('password', NULL)
#1 {main} thrown in C:\xampp\htdocs\e_id\login.php on line 77".

But should the code really be like that by Type Casting the password_verify 2nd param ? Others reply: No!
However, no-one has managed to provide a proper solution yet which I have tested and found positive. I have been given 2 samples to test and so I will keep you guys updated. Saying all this, I do not want to simply rely on the 2 samples as they may not work. And so, do give your on professional inputs on this issue too.

Once again, thanks!


Top
 Profile  
 
PostPosted: Fri Sep 22, 2017 5:10 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
Quote:
Syntax: [ Download ] [ Hide ]
<?php

// We don't really care about the stuff that was here

if ($_SERVER['REQUEST_METHOD'] == "POST")
{
        if (isset($_POST["login_username_or_email"]) && isset($_POST["login_password"]))
        {
                $username_or_email = trim($_POST["login_username_or_email"]); // I rid the mysqli_real_escape_string based on Mac_Guyver's suggestion.
                $password = $_POST["login_password"];
                $hashed_password = password_hash($password, PASSWORD_DEFAULT);
         
                //Select Username or Email to check against Mysql DB if they are already registered or not.
                $stmt = mysqli_stmt_init($conn);
               
                /* From reg.php
                $stmt = mysqli_prepare($conn, "SELECT usernames, emails FROM users WHERE usernames = ? OR emails = ?");
                mysqli_stmt_bind_param($stmt, 'ss', $username, $email_confirmation);
                mysqli_stmt_execute($stmt);
                $result = mysqli_stmt_get_result($stmt);
               
                $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
                */

               
        if(strpos("$username_or_email", "@") === true)
                {
                        $email = $username_or_email;
                        $username = "";
                        $stmt = mysqli_prepare($conn, "SELECT emails FROM users WHERE emails = ?");                    
                        mysqli_stmt_bind_param($stmt, 's', $email);
                }
                else
                {
                        $username = $username_or_email;
                        $email = "";
                        $stmt = mysqli_prepare($conn, "SELECT usernames FROM users WHERE usernames = ?");
                        mysqli_stmt_bind_param($stmt, 's', $username);                
                }              
                mysqli_stmt_execute($stmt);
                $result = mysqli_stmt_get_result($stmt); //Use either this line, or ...
                //$result = mysqli_stmt_bind_result($stmt, $db_username); // ... this line. But not both.
 
                $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
                printf("%s (%s)\n",$row["usernames"],$row["passwords"]);
                var_dump($row);
               
                // Check if inputted Username or Email is registered or not.
                //Either type following paragraph or the next one but not both. Ask in forum which one is best.
 
                // PARAGRAPH 1
                       
                if (!$result) // either this paragraph or ...
                {
                        echo "Paragraph 1: Incorrect User Credentials!";
                        echo "Username/Email did not match!<br>"; //echo for debugging purpose. Remove from release version
                        echo "Username/Email $username_or_email<br>"; //echo for debugging purpose. Remove from release version
                        exit;                          
                }
                elseif (password_verify($password, $row['passwords']))
                {
                        if($row['accounts_activations_statuses'] == '0')
                        {
                                echo "Paragraph 1: You have not activated your account yet! Check your email for instructions on how to activate it. Check your spam folder if you don't find an email from us.";
                                exit;
                        }
                }
                else
                {
                        //If 'Remember Me' check box is checked then set the cookie.
                        if(!empty($_POST["login_remember"])) // Either use this line ....
                        //if (isset($_POST['login_remember']) && $_post['login_remember'] == "on") // ...or this line. But not both!
                        {
                                setcookie("login_username", $username, time()+ (10*365*24*60*60));
                        }
                        else
                        {
                                //If Cookie is available then use it to auto log user into his/her account!
                                if (isset($_COOKIE['login_username']))
                                {
                                        setcookie("login_username","","");
                                }
                        }
                $_SESSION["user"] = $username;
                header("location:home.php?user=$username");                            
                }                      
        }
}
// And we don't really care about the markup      
?>
 

You definitely don't need separate queries for username, email, and password, but we'll get to that later. The bigger issue here is the null password. Look at where $row is defined. Look at the queries preceding it. $row either contains 'usernames' or it contains 'emails'. You've never selected the password columns, so of course it's going to be null, hence the error.

Once you've addressed that, you'll find things still don't work because you're re-hashing the password (see $password = line) and ultimately trying to pass different hashes of the same password to password_verify rather than the stored hash and the provided plaintext. http://php.net/manual/en/function.password-verify.php

Untested, but what about something like this?
Syntax: [ Download ] [ Hide ]
<?php

$pdo = new PDO('mysql:host=localhost;dbname=your_database', 'username', 'password');

$query = "SELECT usernames, emails, passwords FROM users WHERE usernames = :username OR emails = :email";
$stmt = $pdo->prepare($query);
if (!$stmt->execute(['username' => $username_or_email, 'email' => $username_or_email])) {
    // Query failed. Handle error here
}

$row = $stmt->fetch();

if (!password_verify($row['passwords'], $_POST['login_password'])) {
    // Password mismatch.
}

I used PDO because I am more familiar with that syntax, but that's not important. This way you get everything you need in a single query.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: Majestic-12 [Bot] and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group