I'm trying to create a login form which accesses details from a MySQL database and then redirects the user to another page. However Whenever I try to login using the correct credentials, I keep getting an incorrect password error. Can anyone see anything wrong with the following code?

<?php
// Initialize the session

session_start();

// Check if the user is already logged in, if yes then redirect to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
    header("location: index.php");
    exit;
}

// Include config file
include "connection.php";

// Define variables and initialize with empty values
$username = $password = "";
$username_err = $password_err = "";

// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){

    //find first name of logged in user


    // Check if username is empty
    if(empty(trim($_POST["username"]))){
        $username_err = "Please enter username.";

    } else{
        $email = trim($_POST["username"]);

    // Check if the password is empty
    if(empty(trim($_POST["password"]))){
        $password_err = "Please enter your password.";

    } else{
        $password = trim($_POST["password"]);

    }

    // Validate credentials
    if(empty($username_err) && empty($password_err)){
        // Prepare a select statement
        $sql = "SELECT Email, Password FROM users WHERE Email = ?";

        if($stmt = mysqli_prepare($link, $sql)){
            // Bind variables to the prepared statement as parameters
            mysqli_stmt_bind_param($stmt, "s", $param_email);

            // Set parameters
            $param_email = $email;

            // Attempt to execute the prepared statement
            if(mysqli_stmt_execute($stmt)){
                // Store result
                mysqli_stmt_store_result($stmt);

                // Check if username exists, if yes then verify password
                if(mysqli_stmt_num_rows($stmt) == 1){                    
                    // Bind result variables
                    mysqli_stmt_bind_result($stmt, $email, $hashed_password);
                    if(mysqli_stmt_fetch($stmt)){
                        if(password_verify($password, $hashed_password)){
                            // if the password is correct, begin a new session
                            session_start();

                            // allocate values to session variables
                            $_SESSION["loggedin"] = true;
                            $_SESSION["username"] = $email;                            

                            // Redirect user to welcome page



                            header("location: index.php");



                        } else{
                            // Display error message for incorrect password
                            $message = "Incorrect password, please try again";
                            echo "<script>
                            alert('$message');
                            window.location.href='login.php';
                            </script>";
                            exit;
                        }
                    }
                } else{
                    // Display an error message if username doesn't exist
                    $message = "Incorrect username, please try again";
                            echo "<script>
                            alert('$message');
                            window.location.href='login.php';
                            </script>";
                            exit;
                }
            } else{
                echo "Something went wrong. Please try again later.";
            }
        } else {
            //prevent SQL Injection
            die("Error : " . mysqli_error($conn));
        }

        // Close statement
        mysqli_stmt_close($stmt);
    }

    // Close connection
    mysqli_close($link);
}
}
?>

Any help would be appreciated.

1 Answers

0
pr.lwd On

This might be me being blind (or that this is just a snippet), but you're not actually opening your connection to MySQL so $link will be null at the point you try to prepare your statement. (Sorry I didn't post this as a comment, I'm too new to this)