Becky Becky - 11 days ago 4x
PHP Question

Form not reading information from database

I am configuring a sign in form from a framework I use every now and then. However, for some reason the

error keeps populating. I know the information is correct in my database and I even edited the password within the database to remove the hash to eliminate this as the problem.

Does anyone have a clue as to why it keeps throwing the try again error saying the information is wrong? I am able to register a user and then I redirect them to this page to allow them to sign in, so the sign in is the only issue.

Please let me know if you need more code from the framework. I did not want to post loads of code.

ini_set('display_errors', 1);
require_once 'core/init.php';

if(Input::exists()) {
if(Token::check(Input::get('token'))) {

$validate = new Validate();
$validation = $validate->check($_POST, array(
'username' => array('required' => true),
'password' => array('required' => true)

if($validation->passed()) {
$user = new User();

$remember = (Input::get('remember') === 'on') ? true : false;
$login = $user->login(Input::get('username'), Input::get('password'), $remember);

if($login) {
} else {
echo $tryagain = '<span class="signinpanel">' . "The information you entered did not match our records." . '</span>';

} else {
foreach($validation->errors() as $error) {
echo $error, '<br>';


if(Session::exists('home')) {
echo '<p>' . Session::flash('home') . '</p>';
<form name="Sign In" action="" method="POST" autocomplete="on" accept-charset= "utf-8">
<div class="field">
<label for="username">Username</label>
<input type="text" name="username" autocomplete="on" required>
<div class="field">
<label for="password">Password</label>
<input type="password" name="password" autocomplete="off" required>
<div class="field">
<label for="remember">
<input type="checkbox" name="remember" id="remember"> Remember me
<input type="hidden" name="token" value="<?php echo Token::generate(); ?>">
<input type="submit" value="Sign In">

Login function

public function login($username = null, $password = null, $remember = false) {

if(!$username && !$password && $this->exists()) {
Session::put($this->_sessionName, $this->data()->id);
} else {
$user = $this->find($username);

if($user) {
if($this->data()->password === Hash::make($password, $this->data()->salt)) {
Session::put($this->_sessionName, $this->data()->id);

if($remember) {
$hash = Hash::unique();
$hashCheck = $this->_db->get('users_session', array('user_id', '=', $this->data()->id));

if(!$hashCheck->count()) {
$this->_db->insert('users_session', array(
'user_id' => $this->data()->id,
'hash' => $hash
} else {
$hash = $hashCheck->first()->hash;

Cookie::put($this->_cookieName, $hash, Config::get('remember/cookie_expiry'));
return true;

return false;


Hash file

class Hash {
public static function make($string, $salt = '') {
return hash('sha256', $string . $salt);

public static function salt($length) {
return mcrypt_create_iv($length);

public static function unique() {
return self::make(uniqid());


I think your error lies in the check you are making here:

if($this->data()->password === Hash::make($password, $this->data()->salt)) {
        Session::put($this->_sessionName, $this->data()->id);

If I read this correctly you are taking the value that the user has entered and are then creating a brand new Hash of the password with a new random salt being fed in. This value will change every time the code is executed but is (very) unlikely to ever be identical to the input password.

Initially this answer was based on the Laravel libraries:

Instead of using Hash:make use Hash::check as the guard to entering that block:

if(Hash::check($this->data()->password, $password)){
        Session::put($this->_sessionName, $this->data()->id);

This should give a pathway to let the login() function return true.

However, as @becky indicated that they weren't using Laravel a more general answer was needed:

The underlying problem that you have is that you're checking the plaintext password against the encrypted (hashed) password. In all good algorithms this won't be the same thing which is why it's never going to return true from the function.

What you need to do is check the hashed version of what the user has entered: Hash::make($password, $this->data()->salt) with the value that you've stored (because you only store the hashed version). If you can change the code to compare those two values they should be the same and so the identity operator === will return a true value.

Further discussions, and some debugging, indicated that what was coming back from the DB wasn't what was being created on the page by the

Hash::make($password, $this->data()->salt)

statement. On closer inspection it emerged that the length of the column on the db had been reduced from 64 characters to 50. As the Hash::make() function returned a 64-character hash the two could never equate. Remaking that DB column and regenerating the password hashes fixed the problem.