If you found "wrong username and Password" for the login as user account. it is due to the hash password issue. to resolve this problem,
UPDATE the login_verify.php with the following code
<?php
session_start();
if (!isset($_POST['submit'])) {
header('Location: login.php');
exit;
}
require_once "./functions/dbconn.php";
require_once "./functions/dbfunc.php";
$name = trim($_POST['name']);
$pass = trim($_POST['pass']);
$loc = $_POST['loc'];
$ftime = strtotime("12:00:00");
$stime = strtotime("17:00:00");
$ltime = time();
$_SESSION['t'] = ($ftime > $ltime) ? "Morning" : (($stime > $ltime) ? "Noon" : "Evening");
// Sanitize input
$name = sanitize($conn, $name);
$pass = sanitize($conn, $pass);
// Fetch user data securely
$query = "SELECT * FROM users WHERE username = ?";
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, "s", $name);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if (!$result || mysqli_num_rows($result) === 0) {
header('Location: login.php?msg=1');
exit;
}
$user = mysqli_fetch_assoc($result);
$stored_hashed_pass = $user['pass'];
// Secure password verification
if (!password_verify($pass, $stored_hashed_pass)) {
header('Location: login.php?msg=1'); // Wrong password
exit;
}
// Ensure user is active
if ($user['active'] != 1) {
header('Location: login.php?msg=3'); // Account not active
exit;
}
// Fetch setup data
$setupArray = mysqli_query($conn, "SELECT * FROM setup");
if (!$setupArray) {
die("Database Error: " . mysqli_error($conn));
}
$setup = [];
while ($row = mysqli_fetch_array($setupArray)) {
$setup[$row[0]] = $row[1];
}
// Fetch user role securely
$roleResult = getDataById($conn, "roles", $user['role']);
if (!$roleResult || !is_object($roleResult)) {
die("Database Error: Role query failed.");
}
$role = mysqli_fetch_assoc($roleResult);
// Set session variables
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_role'] = $role['rname'];
$_SESSION['user_name'] = $user['fname'];
$_SESSION['user_access'] = explode(';', $role['acc_code']);
if ($loc !== "Master") {
$_SESSION["id"] = $role['rname'];
$_SESSION["loc"] = sanitize($conn, $loc);
$_SESSION["locname"] = $loc;
$_SESSION["lib"] = $setup['cname'] ?? 'Unknown';
if ($role['rname'] === "Admin") {
header("Location: index.php?msg=" . $_SESSION['t']);
} elseif ($role['rname'] === "User") {
$_SESSION["libtime"] = $setup['libtime'] ?? '';
$_SESSION["noname"] = $setup['noname'] ?? '';
$_SESSION["banner"] = $setup['banner'] ?? '';
$_SESSION["activedash"] = $setup['activedash'] ?? '';
header("Location: dash.php");
} else {
header('Location: login.php?msg=1');
}
} elseif ($loc === "Master") {
if ($role['rname'] === "Master") {
$_SESSION["id"] = $role['rname'];
$_SESSION["loc"] = "Master";
$_SESSION["lib"] = "Master";
header("Location: index.php?msg=" . $_SESSION['t']);
} else {
header('Location: login.php?msg=1');
}
}
// Close connection
mysqli_close($conn);
?>
Next Steps:
🔹 Update your database to use password_hash()
instead of sha1()
.
🔹 Run this one-time update query to rehash old passwords:
<?php
require_once "./functions/dbconn.php";
$query = "SELECT id, pass FROM users";
$result = mysqli_query($conn, $query);
while ($row = mysqli_fetch_assoc($result)) {
$user_id = $row['id'];
$old_pass = $row['pass'];
// Check if it's a SHA1 hash (40 characters)
if (strlen($old_pass) === 40) {
$new_hashed_pass = password_hash($old_pass, PASSWORD_DEFAULT);
$update_query = "UPDATE users SET pass = ? WHERE id = ?";
$update_stmt = mysqli_prepare($conn, $update_query);
mysqli_stmt_bind_param($update_stmt, "si", $new_hashed_pass, $user_id);
mysqli_stmt_execute($update_stmt);
}
}
echo "Passwords updated successfully!";
?>
2️⃣ Reset the Master Password Using password_hash()
Run this PHP script once to update the Master password:
<?php
require_once "./functions/dbconn.php";
$master_username = 'Master';
$new_password = 'your_master_password'; // Change this password with your password
// Hash the new password
$hashed_password = password_hash($new_password, PASSWORD_DEFAULT);
// Update the database
$query = "UPDATE users SET pass = ? WHERE username = ?";
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, "ss", $hashed_password, $master_username);
if (mysqli_stmt_execute($stmt)) {
echo "Master password updated successfully!";
} else {
echo "Error updating password: " . mysqli_error($conn);
}
mysqli_close($conn);
?>
This might resolve the issue