Home/ Questions/Q 8652339
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T14:17:11+00:00

So I have a php authentication script and everything works fine. But I’m very

  • 0

So I have a php authentication script and everything works fine. But I’m very unsure about the way I programmed it (I hardcoded some stuff) and I was hoping stack could look through this and point out any potential problems.

Here is the script:

<?php
require_once 'Bcrypt.php';
class Mysql {
    private $conn;

    function __construct() {
        $this->conn =  new PDO('mysql:host=***;dbname=***;charset=UTF-8','***','***') or 
                      die('There was a problem connecting to the database.');
    }

    function verify_Username_and_Pass($un, $pwd) {
        ini_set('display_errors', 'On');
        error_reporting(E_ALL | E_STRICT);
        $query = "SELECT *
                FROM Conference
                WHERE Username = :un";

        $stmt = $this->conn->prepare($query);

        $stmt->bindParam(':un', $un);
        //$stmt->bindParam(':pwd', $pwd);
        $stmt->execute();
        $row = $stmt->fetchAll();
        $hash = $row[0]["Password"];
        $is_correct = Bcrypt::check($pwd, $hash);

        if ($is_correct) {
            // User exist
            $firstName = $row[0]["First Name"];
            $_SESSION["FirstName"] = $firstName;
            return true;
            $stmt->close();
        }
        else {
            // User doesn't exist
            return false;
            $stmt->close();
        }
    }
}
?>

So how does it look?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Without testing it out, i think your code should work, the usage of BCrypt looks reasonable. There are some points that could be improved of course, some are maybe a matter of opinion.

    1. If your query doesn’t return any row (because no such user name exists), you would access an invalid index $row[0]["Password"]. You should first ask, if there is a result, before using it.
    2. Your call for closing the database is placed after the return statement, so it will never be executed. PHP will close the database automatically, so either close it before the return statement, or remove the line.
    3. You named your function verify_username_and_password(), but actually it does also read from the database and writes to the session. These are hidden activities, another developer cannot know that the session changes unless he reads the whole code. One possibility to solve this problem would be, to split up the function.

    untested example:

    $userRow = getUserRowFromDatabase($userName);
if (!is_null($userRow))
{
  if (verifyPassword($password, $userRow["Password"]))
  {
    addLoggedInUserToSession($userRow["First Name"])
  }
}

    Each of these three functions have only one problem to solve. This would make your code more readable, ideally it should be like reading a story in a book.

    Hope i could give you some ideas.

    • 0