I have taken a login script from one of my other projects and was setting it up for my current one. After creating the database (it has no entrys) and uploading the files to the FTP, I went to the INDEX page but after I tried logging in once with incorrect details nothing happend, normally it should display a message saying 'incorrect credentials' but it didn't. I set up echo commands at various points within the code and managed to narrow down the error to one line. That line is setting a variable called $sql to a prepared SELECT statement, for some reason this is stopping the code as any echo commands placed after that will not run. Any ideas as to what is going on and how I can fix it? Or do you guys think it would be better to follow a more up login system? That seems to include tokens which will also be helpful for security.
// Confirm login
echo "1";
include("config.php");
$username = $_POST['username'];
$password = $_POST['pass'];
if(isset($_POST) && $username != '' && $password != ''){
echo "2".$username;
$sql = $dbh->prepare("SELECT id,password,psalt FROM users WHERE username=?");
echo "3";
$sql->execute(array($username));
if($sql->rowCount() > 0) {
while($result = $sql -> fetch()){
$pass = $result['password'];
$p_salt = $result['psalt'];
$id = $result['id'];
}
echo "3";
$site_salt="salthashhere";
$salted_hash = hash('sha256',$password.$site_salt.$p_salt);
if($pass == $salted_hash){
echo "5";
$_SESSION['user'] = $id;
header("Location:home.php");
} else {
echo "<h2>Username/Password is Incorrect.</h2>";
echo "<a href='register.php'>Register Here</a>";
}
}
