Jump to content

Help With Login Script


EddNicks

Recommended Posts

Hello, 

 

I have been coding little bits and bobs for a little while now. But i have come across a problem that i can't think how i can solve it.

 

I have a login system form a tutorial online but i would like the use to be able to login with an email address instead of a username. I have managed to get this to work with a basic email like... edd@edd.com,  but when i have an email will numbers (e.g. edd123@edd.com) then the login system will not work. I am sure that i have seen some sort of code that stops the input field from affecting the search to MYSQL. 

 

Here is my code...

<? 
session_start(); 
?>
<html>
<head>
	<title>Login</title>
</head>
<body>
<?php
if (!isset($_POST['submit'])){
?>
<!-- The HTML login form -->
<center>
<br /><br /><br /><br />
	<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
		Email: <br />
        <input type="text" name="username" /><br /><br />
		Password: <br />
        <input type="password" name="password" /><br />
 
		<input type="submit" name="submit" value="Login" />
	</form>
    </center>
<?php
} else {
	require_once("db_const.php");
	$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
	# check connection
	if ($mysqli->connect_errno) {
		echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
		exit();
	}
 
	$username = $_POST['username'];
	$password = $_POST['password'];
	
 
	$sql = "SELECT * from traders WHERE pemail LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
	$result = $mysqli->query($sql);
	if (!$result->num_rows == 1) {
		echo "<p>Invalid email/password combination</p>";
	} else {
		$_SESSION['useremail'] = $username;
		echo $_SESSION['useremail'];
		echo("<h1>Welcome To The TAW Bunker</h1>");
		echo "<p>Logged in successfully</p>";
		// do stuffs
	}
}
?>		
</body>
</html>
Link to comment
Share on other sites

Couple things:

 

1. Do not use $_SERVER['PHP_SELF'] as the form action, because it can be manipulated and is not safe. If you want to POST to the same page then just leave the action attribute out completely.

<form method="post">
2. You need to escape user input when you put it in a query, otherwise you are vulnerable to SQL injection. The easiest way is this, although I'd recommend you learn how to do prepared statements since you're already using MySQLI.
$username = $mysqli->real_escape_string($_POST['username']);
$password = $mysqli->real_escape_string($_POST['password']);
3. Do not store passwords in plaintext in the database. Bad. You need to hash them with a secure hashing algorithm. PHP>=5.5 has this built in, with password_hash() and password_verify().

 

4. You don't use LIKE for this purpose. Your WHERE clause should look like:

WHERE pemail = '{$username}' AND password = '{$password}'
Other than that, I don't see anything that would make your email not work. Logging in with email as the username is exactly the same as logging in with a username as a username.
Link to comment
Share on other sites

you need to determine why your login code isn't matching a row in your database table by actually investigating what is happening in your code and in your data.

 

is the registration code doing anything to the email address? when you look directly at the data in your database table (using phpmyadmin or a similar tool) what is stored for the email in the case where it doesn't match?

 

any chance you accidentally entered a space or other white-space character before or after the email address when you registered it, but not when trying to log in?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.