INNER JOIN for login form doesn't seem to work in PHP?

[crf1121359]

Hello,

 

Let me first explain what i'm trying to do...

I have two Tables in mysql database. 1st is members and the other one is storename.

I save a random unique Key in both of these tables in the column randKey.

This all works fine.

Now, I have a login form which I am trying to use which has INNER JOIN in the SELECT.

the purpose of using INNER JOIN is to be able to use the randKey in both Tables mentioned above so the users cannot login to someone else's account if you know what I mean.

only if the email, password and randKey is matched then they can login?

However, when I run the PHP/login page and try to login, I get That information is incorrect, try again echoed out to me...

Here is my code:

<?php
// Parse the log in form if the user has filled it out and pressed "Log In"
if (isset($_POST["email"]) && isset($_POST["password"])) {

    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["email"]); // filter everything but numbers and letters
    $password = (!empty($_POST['password'])) ? sha1($_POST['password']) : ''; // filter everything but numbers and letters
    // Connect to the MySQL database  
    include "config/connect.php";

    $sql = "SELECT members.id, members.email, members.password, members.randKey, storename.email, storename.password, storename.randKey
        FROM `members`
        INNER JOIN `storename` ON (members.randKey = storename.randKey)
        WHERE members.email = '$manager'
        AND members.password = '$password'
    ";
    // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $query = mysqli_query($db_conx, $sql);
    if (!$query) {
        die(mysqli_error($db_conx));
    }
    $existCount = mysqli_num_rows($query); // count the row nums
    if ($existCount == 1) { // evaluate the count
        $row = mysqli_fetch_array($query, MYSQLI_ASSOC);
        $_SESSION["id"] = $row["id"];
        $_SESSION["manager"] = $manager;
        $_SESSION["password"] = $password;
        header("location: dashboard");
        exit();
    } else {
        echo 'That information is incorrect, try again <a href="login">Click Here</a>';
        exit();
    }
}
?>

could someone please tell me why i cannot login using the code above ? am i MISSING SOMEHTING?

[mac_gyver]

your statement of what and why you are doing it makes no sense. having a second table, that apparently holds duplicate email and password fields, will in no way prevent someone from logging into someone else's account. all this has done is to create duplicate information that must now be maintained.

 

authenticating someone, involves inputting and checking values that only they should know. you are getting (actually posting) the visitor's email and password. your program flow should be to validate those two inputs and check if you have a matching row in your members table, using the same processing/hashing algorithm that you used when the visitor registered. the goal of the authentication process is to identify the visitor and get their user's id and any other 'static' information, such as the username, and store those values in session variables in order to remember who the current authenticated visitor is. these are the only values you should store in session variables. storing the password makes no sense because you have already authenticated the visitor and the password is no longer relevant.

 

lastly, something even tells me that the value you are identifying as an email isn't. your preg_replace() statement won't permit an email and referring to the value later as $manager/$_SESSION["manager"] says it means something else. if the email form field and database table field is not an email, don't name it such. give it a name that matches its actual purpose (especially if you want someone else to help you with what your code is doing.)