0

I have a login form that requires a username and a password. I want the top of the form to say "Invalid Password" or "Invalid Username" if the login credentials are wrong. Could someone please offer insight into doing this?

The message says "Invalid Password" if one field is empty right now. I want it to have messages even if there is something in the field if it is wrong.

Here is the Login Form:

 <form action="index.php?action=login" method="post">
                    <fieldset>

                        <div style="color:red;"><?php echo isset($_REQUEST['err']) && $_REQUEST['err'] == 1 ? "Invalid     Password" : "";?></div>
                        <legend>Login</legend>
                        <label for="loginName" class="required">Username:</label>
                        <input id="loginName" name="loginName" type="text"
                               value="" required />
                    <label for="password" class="required">Password:</label>
                        <input id="password" name="password" type="password"
                               value="" required />
                        <input id="submit" class="submit" type="submit" value="login"/>
                    </fieldset>
             </form>

This is the login function (it is for a member/admin website so logs into two accounts):

 function connect($loginName) {
    global $db;
    $query = "SELECT email, level, password FROM members WHERE email = '$loginName'";
    $result = $db->query($query);
    $results = $result->fetch(PDO::FETCH_ASSOC);
    return $results;
 }

//Login

function login($loginName, $password) {
    $results = connect($loginName);

    if(!$results) {
        header('Location: /tire/admin/home.php?err=1');
    }

    if ($loginName === $results['email'] && password_verify($password,$results['password'])) {
        $_SESSION['loginName'] = $loginName;

        if ($results['level'] === 'a') { // 1 == Administrator
            $_SESSION['level'] = 'Administrator';
            header('Location: /tire/admin/home.php');
         } elseif ($results['level'] === 'm') { // 1 == Member
            $_SESSION['level'] = 'Member';
         header('Location: /tire/member/home.php');
         exit;
         }
     }

     header('Location: /tire/admin/home.php');
  }

//Logout
 function logout() {
    $_SESSION = array();
    session_destroy();
 }

@bakriawad Here it is where I'm trying your suggestion and it still isn't working. It's telling me $loginName and $password are undefined indexes.

function error_message(){ unset($error); 
    $loginName = $_SESSION['loginName'];
{$results = connect($loginName);
    $loginName === $results['email'];

 $password = password_hash($_POST['password'], PASSWORD_BCRYPT);

  $passwords = password_verify($password,$results['password']);

   if(!$results) {$error = "Username not found";} //if no records returned,      set error to no username
   else //if found     {

     if ((isset($password)) !== (isset($passwords)))  //check password, if matched log him in
     { $error = "Password is wrong"; } //if not matched then set error message
   }
 }

   if(isset($error))echo $error; //if there is an error print it, this can      be anywhere in the page
 }
Improve this question
5
  • What is your query, etc. We can't help you with only this Commented Mar 6, 2015 at 12:36
  • 1
    just handle the different errors in you php code. make $err an array and handle different case based on the error you send through the server side code. Commented Mar 6, 2015 at 12:39
  • Can we see the code that does the check? Something is setting a query string called err, so I guess that would be what you need to change. Commented Mar 6, 2015 at 12:41
  • Seems worth mentioning that it's considered bad practice have a specific error message on login pages. Are you required to do so? Commented Mar 8, 2015 at 6:28
  • As a follow-up to my comment, you may want to read the OWASP best practices, found here: owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf - it specifically mentions this scenario. Commented Mar 8, 2015 at 6:45

1 Answer 1

Reset to default
1

PHP side: (peusedo code)

{
  unset($error);  // or $error="";, just reset it
  $loging = select from database where username = 'username'; //get data from database
  if(!$loging) {$error = "Username not found";} //if no records returned, set error to no username
  else //if found
  {

    if ($password == $loging['pass']) {login();} //check password, if matched log him in
    else $error = "Password is wrong";  //if not matched then set error message
  }

  if(isset($error))echo $error; //if there is an error print it, this can be anywhere in the page
}

Java script side:

make an ajax call to php function that checks login sending username and password, if it is correct redirect the page to welcome screen, if not change the style of box and / or display error message you will have to research this as i never used ajax

try to do it your self, if you stumble i will be happy to provide you with a sample

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

so far I can't get it to give me the correct results. It says the password is undefined and always says the passwords are wrong even though I'm using the password_verify on them. Thank you for trying to help, though. God bless you.
@ReginaShepherdRiddle don't do it that way... try something like what i did ubove, it is much more easier to deal with. just use $results['passowrd'] == $passowrd, also echo both before you check and see if they are actually both set and matched, also, is the retrived password hashed or encrypted? if so then hash / encrypt the $password first then check
You have to use the password_verify because they are encrypted with bcrypt. It's the only way to make them match and I did it exactly like you have it. Honest. It's not working though. It says the password is undefined.
for passwords, hashes are safer since you cannot get back the original data yet you still can check if he entered the right password or not.. better than bcrypt and all encrypting methods. you can use md5($pass) and save it in the DB, then later call it back and use if(md5($password)==$result['password'] ); , as for the problem you are having right now it is hard to say unless i test it.. i never tried encrypting and checking encrypted data
It's giving me undefined index error and saying the password is wrong all the time. If you could help me figure out why that would be helpful. I can show you my code for the hashed password using bcrypt if you need to see it.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.