Link to home
Start Free TrialLog in
Avatar of jharris133
jharris133Flag for United States of America

asked on

Unable to login new user

I'm getting stuck when trying to login a new user to my site.  I have successfully been able to create a new user in my MySQL db via a PHP enabled front-end, and then it emails the user their password and username.  When I go back to login though, it keeps telling me that the login details were invalid.  I'm following the examples in Practical Web 2.0 Apps with PHP, so this isn't original code and there seems to be a problem with the code here (not for the first time).

Below is the code where this error message is generated...

// verify username and password aren't blank

if (count($errors) == 0) {

                    // setup the authentication adapter
                    $adapter = new Zend_Auth_Adapter_DbTable($this->db,


                    // try and authenticate the user
                    $result = $auth->authenticate($adapter);
                    if ($result->isValid()) {
                        $user = new DatabaseObject_User($this->db);

                        // record login attempt

                        // create identity data and write it to session
                        $identity = $user->createAuthIdentity();

                        // send user to page they originally request

                    // record failed login attempt
                    $errors['username'] = 'Your login details were invalid';

Open in new window

Avatar of jharris133
Flag of United States of America image


Oh yeah, and the result of the var_dump on $result was:

object(Zend_Auth_Result)#57 (3) { ["_code":protected]=> int(-3) ["_identity":protected]=> string(5) "jon05" ["_messages":protected]=> array(1) { [0]=> string(31) "Supplied credential is invalid." } }

I just queried my mySQL database, and I noticed that all of the passwords have the same md5 hash value.  I think this would be why the login isn't working, because it's looking for a single password for everyone, but I'm not sure what that password is.  When the welcome email is sent out, it always displays a new password, but apparently the correct value isn't getting written to the database.  Hope this helps, is there something I'm doing incorrectly when using the md5() function to encrypt the passwords?
hello there mate, sadly im not sure on what your trying to acheive here. i do however have a password setup of my own that i can send u the code over here for u to take a look at if that helps you?
<form id="form" method="post" action="./login.php">
    <label>Username: </label>
    <br />
    <input type="text" name="username" value="" />
    <br />
    <br />

    <label>Password: </label>
    <br />
    <input type="password" name="password" value="" />

    <br />
    <br />

    <input type="submit" name="submit" value="Login" />

  <?php include("authenticate.php"); //We need to include the file the authentication class is in for later use 
 //The same way as normal, check to see if the form was submitted if(isset($_POST["submit"])) {    
 //Validate the inputs and clean them    
 //Because validating the data is really outside the scope of this, I'll just do it in pseudo-code    
  /* PSEUDO-CODE */    
 if username field has a value        
 check the value is a valid format for a username (IE doesn't contain characters you don't allow)       
if the value is valid          
clean the value just in case     
end if     
end if      
if password field has a value         
check the value is a valid format for a password(IE doesn't contain characters you don't allow)         
if the value is valid             
clean the value just in case             
hash the password         
end if     
end if    
/* END PSEUDO-CODE */      
//At this point, assume you have two cleaned and validated variables for the username and password     
//$user and $pass      
//If the data passed turns out to be valid, lets start authenticating     
$auth = new Authentication(); 
//Create a new instance of the Authentication class      
//If the method "Login" in the authentication object returns "true"     
if($auth->Login($user, $pass))     
//Do whatever you need to when the user is logged in     
//If the method returns false    
else     {         
//Ouput your error message     
//This class will only work with PHP 5 and above due to the magic method __construct and the way global variables are created 
class Authentication 
{     public $userData = array();     
private $dbLink;          
//This method is called when we create a new instance of the class. We don't need to supply any extra information to create the object, so we don't give it any arguments     
function __construct()     
//Initialising variables is a good idea on a constructor         $this->userDate = array();                  
//Connect to a database in the normal way and assign the link to $this->dbLink            
//This is the method that is called in login.php to execute the login of the user     
public function Login($username, $password)     
//You might want to validate the data here too, but you don't HAVE to because you already validated it in login.php          
//Using $this->dbLink, perform a standard database query to see if there is a record in there with the same username and password as the ones supplied         
//If there is         
return true;         
//If there isn't         
return false;          
//You'd also want to put all the user data in to $this->userData and set up sessions and all that good stuff, but I'm too lazy to go through all that. I'm sure you can do that bit for yourself     } 

Open in new window

Alternatively i have PHP server AUTH login method i can show you.
Yes, can I please see the PHP server AUTH login method?

Here's a better desc of my problem.  I'm trying to develop a system where users can Register to create a new username, then automatically generate a password and email their new password to them.  The email is sent with an unencrypted password so the user can see it and use it to login, but then in the code it's immediately hashed using MD5() to be stored in the database.  

When I try to login, I receive an error that the credentials are invalid, even though I'm using the correct username and the generated password.  Further, when I look in the actual database, each user that I've created have the same hash value for their password, even though each one was different and uniquely generated.

Does that make more sense?
I question if the $username and $password variables are set. You may have to post more code. or you could try using $_POST['username'] (I'll have to assume you're coming from a form post login page). If this code had beed written for an older version (3.x) of PHP or global variables had been turned on it may have worked without the POST reference

Ok, I changed the two lines in my code that sets the setIdentity and setCredential to match yours above.  However, I'm still getting the same error as before.  I'd gladly provide more code if you need it, but I'm not sure what else you would be looking for.  The code I provided above was in the function loginAction() in the AccountController class.  I'm using Controllers and Smarty to display my pages.  Would you need something else there?

Sorry, I am really new to this.
Quick review.

Are you sure the users where created with the md5(?) option?

Are you sure $this->db is properly set?

What does var_dump($result); display?

The display for var_dump($result) is:

object(Zend_Auth_Result)#57 (3) { ["_code":protected]=> int(-3) ["_identity":protected]=> string(5) "jon05" ["_messages":protected]=> array(1) { [0]=> string(31) "Supplied credential is invalid." } }

How can I check if the $this-db is properly set?  The new username and hashed password appear in the database.

I think I figured out why all the keys in the db were the same...when I first set them up, all the hashes are the same, but when I click on the Forgot your password button, it will generate an email asking the user to validate their account.  Once that link is clicked on from the email, the key in the db changes to something unique.  However, even with a verified account, I'm receiving the same login error.

Is this how the md5() hash works, it starts as everything being the same until the account is verified?  If so, I'd rather do that validation in the welcome email in addition to the Forgot Password page, correct?

I just tried logging in with an authenticated (and changed) password and it finally worked.  So I guess I will just try to change that email that goes out to authenticate the initial password and then it should work?  I'll give that a shot and then mark your last post as a solution and award you the points.
Ok, so I was able to use the workaround fine, but I'd like to get this working as it's supposed to.  To generate the link to have the user validate their password, I'm using this line in my Smarty email template:


This works fine for if the user has forgotten their password, it allows them to click on the link, and then receive a message from my site that says that their password has been validated.  They can then login using this new password from the email.  The problem is that in order to use their password, the user must first register, then click on the Forgot your password link, which sends the email with the link included above.  I would like the very first register email to display a link to validate so they don't need to get two passwords in order for them to be able to login.

So I tried including the above line in the initial email, but it doesn't include a key value, like it hasn't been generated yet.  My question is then, how can I generate that key immediately after the account has been created?  I'm just not sure how that new_password_key gets generated in the first place.  Thanks!
Avatar of Michael701
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you, I finally figured it out!  In the AccountController function fetchPasswordAction(), which is where the password is initially obtained, it was calling the fetchpassword() function (where the new key was generated), but it was not calling the confirmNewPassword function, which is what set the key.  So once I added that function call, the user is provided a link in the email, and when they click on the link, it automatically logs them in.  This is even better than the functionality described in the book, thanks for pointing me in the right direction!  As I said, I'm very new to this, so I really appreciate your patience and explanations.