dcsimg
www.webdeveloper.com
Results 1 to 4 of 4

Thread: Mysqli issue account login issue

  1. #1
    Join Date
    Mar 2013
    Posts
    67

    Exclamation Mysqli issue account login issue

    Hi, I am having an issue with login PHP code, when I enter my correct login information the script is incorrectly saying my login is invalid.
    Could someone help me fix this problem? I have listed my coding below.

    Register.php:
    -The registration is successful and all information that is being sent submits to the database.

    PHP Code:
    <?php
    session_start
    ();
    require(
    "includes/db.php");
    // If form submitted, insert values into the database.
    $globaluser $_POST['username'];
    if (isset(
    $globaluser)){
        
        
    // default timezone ////////////////////////
        
    date_default_timezone_set("America/Chicago");
        
    ////////////////////////////////////////////
        
            //escapes special characters in a string
        
    $ip $_SERVER["REMOTE_ADDR"];
            
    $name $_POST["username"];
            
    $email $_POST["email"];
        
    $password stripslashes($_REQUEST['password']);
        
    $password mysqli_real_escape_string($mysqli,$password);
        
    $mdate date("d/m/y");
        
    $mtime date("h:i:sa");
        
    //Default rank
        
    $defaultrank "Member";
        
    //////////////
        
        
    $mysqli = new mysqli($host$dbuser$dbpass$database);
        
    $sql"SELECT * FROM accounts WHERE email = '".$email."'";
        
    $sqli=mysqli_query($mysqli,$sql);
        if(
    mysqli_num_rows($sqli)!=0)
           {
               
    //Return if row exists in database (User already exists)
               
    $_SESSION["errors"] = "userexists";
               
    header("Location: ./register.php");
    exit;
           }
           else {
               
    //Complete Registration.
            
    $result mysqli_query($mysqli,$query);
        
    $query "INSERT into `accounts` (ipaddress, name, email, password, rank, Reg_date, Reg_time)
    VALUES ('
    $ip', '".$name."', '".$email."', '".md5($password)."', '$defaultrank', '$mdate', '$mtime')";
            
    $result mysqli_query($mysqli,$query);
           }
            
            echo 
    "Name: " $username " <br/>Email: " $email "";
            if(
    $result){
                
    //If Success, send to login
                
    mysqli_close();
                
    $_SESSION["success"] = "complete";
                
    header("Location: login.php");
    exit;
            }
            else {
            
    $_SESSION["errors"] = "sqlfailed";
            
    header("Location: ./register.php");
    exit;
            }
        }else{
     
    ?>
                <?php include("includes/Registration_Form.php"); } ?>
              </form>
    <?php ?>
              <?php if($_POST["name"]) { } else { ?><p>Already Have an Account? <a href="login.php">Log In</a></p><?php ?>
    Login.php:
    -This however is for some reason not working properly.

    PHP Code:
    <?php 
        session_start
    ();
            require(
    "includes/db.php");
                    
    $mysqli = new mysqli($host$dbuser$dbpass$database);
                     
    $email $_POST["email"];
                    
    $password stripslashes($_REQUEST['password']);
                    
    $password mysqli_real_escape_string($mysqli,$password);
                          
                    
    $query "SELECT * FROM `accounts` WHERE email='".$email."' and password='".$password."'";
                          
                    
    $result mysqli_query($mysqli,$query);
                    
    $count mysqli_num_rows($result);
                    
                    
    if (
    $count == 1){
    //Check users RANK then give them a session with their rank and profile details
    $myquery mysqli_query($mysqli,"SELECT * FROM accounts WHERE email='".$email."'");
              while(
    $row mysqli_fetch_assoc($myquery)){ //start
            
    $_SESSION["rank"] = $row["rank"];
            
    $_SESSION["username"] = $row["name"];
            
    $_session["email"] = $row["email"];
            
    header("Location: ./index.php");
            exit;
             } 
    //end
             
    }
    else 
    //INVALID USER
    {
            
    $_SESSION["errors"] = "invalidlogin";
            
    header("Location: ./login.php");
            exit;
    }
    ?>
    Would be highly appreciated if someone could help me figure out what I am doing wrong.

    Thanks in advance!

  2. #2
    Join Date
    May 2016
    Location
    Southern California
    Posts
    81
    Do you have error reporting turned on, what errors are there? If not add this to the top of your login.php, refresh and check what errors pop up:
    PHP Code:
    ini_set('display_errors'true);
    error_reporting(E_ALL); 
    Next,
    Lots of security vulnerabilities in your code, you're open to SQL injection. You should be using prepared statements.

    if i were to post this from your form on your site login, bye bye accounts table:
    PHP Code:
    $_POST['email'] = "some@email.com'; DELETE FROM accounts; /*" 
    Also don't store passwords as plain text in your db! Encrypt it thru password_hash and validate the password with password_verify if your server supports it. If your server doesn't, upgrade your php version to at least php5 or use crypt, point is you want to encrypt the passwords.

    I would use PDO instead of mysqli here is an article explaining the differences:
    https://code.tutsplus.com/tutorials/...use--net-24059

    Here is a tutorial on using PDO:
    https://phpdelusions.net/pdo#query

    Find out more about sql injection here:
    https://phpdelusions.net/sql_injection

  3. #3
    Join Date
    May 2016
    Location
    Southern California
    Posts
    81

    After a second look

    PS: md5 is hashing not encryption; still not secure!, You're storing your md5 hashed password in db from your register.php but on the login.php you're looking for plain text password in your select statement, not the md5 hashed password.

  4. #4
    Join Date
    Mar 2013
    Posts
    67
    I realized my mistake, so I have scrapped my entire system and I am changing to PDO

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles