Jump to content

Login script


Ex1t

Recommended Posts

What is wrong in this code?

 

			$username = htmlspecialchars($_POST['username']);
			$password = md5($_POST['password']);

			$sql = "SELECT * FROM users WHERE username='$username' AND password='$password' ";

			if($conn->query($sql) === TRUE) {

				$_SESSION['username'] = $username;
				header('Location: panel.php');

			}

			else {

				echo 'Wrong username or passsword!'.mysqli_error($conn);

			}




I fixed it..
This is my code now:

 

                        $username = htmlspecialchars($_POST['username']);
			$password = md5($_POST['password']);

			$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
			$query = mysqli_fetch_assoc($conn, $sql);
			$run_query = mysqli_query($conn, $sql);

			if(!$run_query) {

				echo 'Wrong username or password!';

			}

			else {

				$_SESSION['username'] = $username;
				header('Location: panel.php');

			}

Edited by Ex1t
Link to comment
Share on other sites

Your login code is still broken. Anyone can login using any username or password that does or does not exist.

 

That is because your code only checks to see if the query executed. mysqli_query only returns TRUE when the query executed and FALSE if a MySQL error occured.

You need to check the query did return a row in order to authenticate the user

$result = mysqli_query($conn, $sql);

// check mysqli_query return TRUE, meaning query executed without error (returns FALSE otherwise)
if($result)
{
    // check the query did return a row, where the username and password hash used matched
    if(mysqli_num_rows($result) !== 0)
    {
        // can now authenticate the user
        $_SESSION['username'] = $username;
        header('Location: panel.php');
        exit; // use exit/die to terminate the script after using header redirect to prevent remaining PHP code from being executed
    }
    // the query did not return a row, incorrect login credentials used
    else
    {
        echo 'Wrong username or password!';
    }
}
// mysqli_query returned FALSE,  
else
{
    // query did not execute due to an error. Lets find out
    trigger_error('Login Query Error: ' . mysqli_error($conn));
}

 

 

Im using md5 only for my projects on localhost..

For Everything else im using bcrypt

Why? If you are going to use bcrypt when the project is finished then use it at the beginning.

  • Like 1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.