Help With Login Script

[EddNicks]

Hello, 

 

I have been coding little bits and bobs for a little while now. But i have come across a problem that i can't think how i can solve it.

 

I have a login system form a tutorial online but i would like the use to be able to login with an email address instead of a username. I have managed to get this to work with a basic email like... edd@edd.com,  but when i have an email will numbers (e.g. edd123@edd.com) then the login system will not work. I am sure that i have seen some sort of code that stops the input field from affecting the search to MYSQL. 

 

Here is my code...

<? 
session_start(); 
?>
<html>
<head>
	<title>Login</title>
</head>
<body>
<?php
if (!isset($_POST['submit'])){
?>
<!-- The HTML login form -->
<center>
<br /><br /><br /><br />
	<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
		Email: <br />
        <input type="text" name="username" /><br /><br />
		Password: <br />
        <input type="password" name="password" /><br />
 
		<input type="submit" name="submit" value="Login" />
	</form>
    </center>
<?php
} else {
	require_once("db_const.php");
	$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
	# check connection
	if ($mysqli->connect_errno) {
		echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
		exit();
	}
 
	$username = $_POST['username'];
	$password = $_POST['password'];
	
 
	$sql = "SELECT * from traders WHERE pemail LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
	$result = $mysqli->query($sql);
	if (!$result->num_rows == 1) {
		echo "<p>Invalid email/password combination</p>";
	} else {
		$_SESSION['useremail'] = $username;
		echo $_SESSION['useremail'];
		echo("<h1>Welcome To The TAW Bunker</h1>");
		echo "<p>Logged in successfully</p>";
		// do stuffs
	}
}
?>		
</body>
</html>

[scootstah]

Couple things:

 

1. Do not use $_SERVER['PHP_SELF'] as the form action, because it can be manipulated and is not safe. If you want to POST to the same page then just leave the action attribute out completely.

<form method="post">

2. You need to escape user input when you put it in a query, otherwise you are vulnerable to SQL injection. The easiest way is this, although I'd recommend you learn how to do prepared statements since you're already using MySQLI.

$username = $mysqli->real_escape_string($_POST['username']);
$password = $mysqli->real_escape_string($_POST['password']);

3. Do not store passwords in plaintext in the database. Bad. You need to hash them with a secure hashing algorithm. PHP>=5.5 has this built in, with password_hash() and password_verify().

 

4. You don't use LIKE for this purpose. Your WHERE clause should look like:

WHERE pemail = '{$username}' AND password = '{$password}'

Other than that, I don't see anything that would make your email not work. Logging in with email as the username is exactly the same as logging in with a username as a username.

[mac_gyver]

you need to determine why your login code isn't matching a row in your database table by actually investigating what is happening in your code and in your data.

 

is the registration code doing anything to the email address? when you look directly at the data in your database table (using phpmyadmin or a similar tool) what is stored for the email in the case where it doesn't match?

 

any chance you accidentally entered a space or other white-space character before or after the email address when you registered it, but not when trying to log in?

[EddNicks]

hello,

 

I have worked out the issue.... The automated password generator i have puts a space at the end of it... 

$randomgen = mt_rand() . "\n";
echo mt_rand(10);

I presume i may need to remove the "\n"   ??

[mac_gyver]

you could always make the change you have theorized will correct the problem, perform a test, and observe the results to see if the experiment proves or disproves your theory about the cause of the problem - https://en.wikipedia.org/wiki/Scientific_method

Edited July 16, 2015 by mac_gyver