if statement on login page fails to continue if the if statement is met

Question

I currently have a problem with the following php code:

if ($result['username'] == $_POST["name"]) {
        $bcrypt = new Bcrypt(10);
        $password = $_POST["password"];
        $hashdb = $result['password'];

        $hash = $bcrypt->hash($password);
        $isGood = $bcrypt->verify($password, $hashdb);

        if ($isGood == 1) {

            if($result['active'] == 1) {

                $_SESSION["login"] = $result['firstname']." ".$result['lastname'];
                $_SESSION["functionlevel"] = $result['functionlevel'];

                header("location:startpagina.php");
            } else {
                echo 'Account blocked or not activated';
            }


        } else {
            echo 'Password not correct';
        }

}  else {
    echo 'Username not correct';
}

I am using the Andrew Moore bcrypt class for hashing and verifying the passwords. For some reason my if statement seems to fail and suddenly stops after the second if statement. If this one fails it shows the password not correct option. But if it is true it does not continue to the third if.

I have tried different options in the second if like:

if ($isGood){

if ($isGood == true){

if ($isGood !== false){

if ($isGood !== 0){

But somehow none of these seem to continue if the statement is met. It just shows the login page again instead of continuing to startpagina.php. The login page worked fine without the bcrypt implementation and with just checking two md5 hashes against each other.

Can anybody help me trying to find the problem?

first typo `$password = $_POST["password];` should be `$password = $_POST["password"];` — NullPoiиteя, Dec 22 '12 at 10:27
where is $result['active'] set? You use it in an IF statement - but I do not see it defined anywhere — Laurence, Dec 22 '12 at 10:29
@NullPointer Fixed the typo. Somehow when copying and pasting the code here I made that error. @TheShiftExchange `$result['active']` comes from the database. $result is an array containing the users data. — MuerteDiablo, Dec 22 '12 at 10:33
Put 'exit();' after 'header("location:startpagina.php");' It will prevent more issues — Chris, Dec 22 '12 at 10:39

score 0 · Accepted Answer · answered Dec 22 '12 at 10:42

Your $isGood is always going to be false - because you have not verified the hash correctly.

Change

    $hash = $bcrypt->hash($password);
    $isGood = $bcrypt->verify($password, $hashdb);

to

    $hash = $bcrypt->hash($_POST["password"]);
    $isGood = $bcrypt->verify($hashdb, $hash);

This is how I would write it

if ($result['username'] == $_POST["name"]) {
        $bcrypt = new Bcrypt(10);

        if ($bcrypt->verify($result['password'], $bcrypt->hash($_POST["password"]))) {

            if($result['active']) {

                $_SESSION["login"] = $result['firstname']." ".$result['lastname'];
                $_SESSION["functionlevel"] = $result['functionlevel'];

                header("location:startpagina.php");
                exit();
            } else {
                echo 'Account blocked or not activated';
            }
        } else {
            echo 'Password not correct';
        }

}  else {
    echo 'Username not correct';
}

Finally figured out what the problem was. My `if` statement was working correctly(didn't matter which way). The problem was that it didn't executed the `header("startpagina.php");` which is why it displayed the login screen again. Now that I have fixed it I can finally continue.. But still thanks for your help. Your method is smaller than mine so I am using that one now. — MuerteDiablo, Dec 22 '12 at 16:10

if statement on login page fails to continue if the if statement is met

1 Answers1