Jump to content

Need help with password validation

batman1

By batman1
in PHP Coding Help

 Share

Recommended Posts

batman1 Newbie

batman1

Posted
Posted

I want to add password validation to this code so that it displays "Incorrect Password" if the email and password doesn't match...Need some help.. 

<?php 
    include('dbconnect.php');
    session_start();

    if(isset($_POST['userLogin'])){

        $email=mysqli_real_escape_string($conn,$_POST['email']);
        $pwd=md5($_POST['pwd']);
        $sql="SELECT * FROM user_info WHERE email='$email' AND password='$pwd'";
        $run_query=mysqli_query($conn,$sql);
        $count=mysqli_num_rows($run_query);

        if($count==1){
                $row=mysqli_fetch_array($run_query);
                $_SESSION['uid']=$row['user_id'];
                $_SESSION['uname']=$row['first_name'];
                echo "true";
        }
    }
    
 ?>

 

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

Whenever you accept user input, you should use prepared statements.

Make sure that your server is using the mysqlnd library.

At that point you no longer need escaping of input.

You are also using md5() without a salt, which is a terrible way of hashing passwords.  This is why the PHP project provides the password functions that maxxd linked for you.  You should convert your code to use those.

The simplest answer to your question, with prepared statement use thrown in would be this:

  

<?php 
    include('dbconnect.php');
    session_start();

    if(isset($_POST['userLogin'])){
        $pwd = md5($_POST['pwd']);
        $stmt = mysqli_stmt_init($conn);
        $stmt = mysqli_stmt_prepare($stmt, "SELECT * FROM user_info WHERE email=? AND password=?";
        // No escaping required!
        mysqli_stmt_bind_param($stmt, 'ss', $_POST['email'], $pwd);
        mysqli_stmt_execute($stmt);
        $result = mysqli_stmt_get_result($stmt);
        
        $rows = array();
        // Fetch all rows.  Should be 0 or 1, but if your db design is bad or query is flawed, you could have > 1
        while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {
            $rows[] = $row;
        }
        
        // Now count on rows    

        if (1 == count($rows)) {
            $row = $rows[0];
            $_SESSION['uid'] = $row['user_id'];
            $_SESSION['uname'] = $row['first_name'];
            echo "Login Successful";
            // Usually you would redirect to the Home page here using header();
            exit;
        } else {
            /* Usually you would redirect back to the login form 
               after putting the error message into either a hidden form field or a session variable */
            echo "Incorrect Password or Account";
            exit;
        }
    }
    
 ?>

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.