Users still can login although email and password that insert is wrong,why?

Question

I am quite new in php language..currently i am working on a login and registration system.but i dont know why the users still can login to the although the email and password insert is wrong,since i already make all the validation.So,guys,pls help me to see my code,see whether where the problem is.

here is my code

<?php
include('config.php');

    session_start();

    $errors=array();

 if ($_SERVER["REQUEST_METHOD"] == "POST"){

    $email = $_POST['email'];
    $password = $_POST['password'];

    if($email&&$password){

        //declare variable
        $query = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' Password=''$password");
        $numrows = mysqli_num_rows($query);

        //when user correct input,check the data 
        if($numrows !== 0) {
            while($row=mysqli_fetch_assoc($query)){
                $dbemail=$row['Email'];
                $dbpassword=$row['Password'];
            }
            //if username and password match
            if($dbemail=$email&&$dbpassword=$password)
            {
                $SESSION['$email']="$email";
                header('Location:user.html');

            }

            else
            {
                $errors['notcorrect'] = "Email or password not correct";
            }
        } 
        //when insert wrong data
        else{
            $errors['notexists'] = "This email doesn't exists";
        }
    }
    //when user didnt enter anything
    else{
        $errors['nothing'] = "Please enter your email and password";
    }
}

?>

any idea?

Examine this => `Password=''$password"` and this `$SESSION` and this `if($dbemail=$email&&$dbpassword=$password)`. — Funk Forty Niner, Dec 19 '14 at 12:17
You're wide open to an SQL injection attack http://xkcd.com/327/ - Also, you aren't using an AND in your SQL query so it might not be syntatically correct, and your code implies that you're storing passwords as plaintext which is a suicidally bad idea. You might want to look into fixing all three of these flaws. — GordonM, Dec 19 '14 at 12:30
@ken I made a slight edit also, therefore you will need to reload my answer. — Funk Forty Niner, Dec 19 '14 at 12:35

score 4 · Accepted Answer · edited May 23 '17 at 12:25

4

Let's examine these in detail:

Password=''$password"
$SESSION
if($dbemail=$email&&$dbpassword=$password)
WHERE Email='$email' Password=''$password")
$_SESSION['$email']="$email";

$password is outside your quotes.

Then $SESSION is missing an underscore between the $ and SESSION.

This is also a superglobal.

Then you're "assigning" using 1x = sign instead of "comparing" with if($dbemail=$email&&$dbpassword=$password)

Use 2x == signs.

You're missing an AND for WHERE Email='$email' Password=''$password")

WHERE Email='$email' AND Password='$password'");

You should also, and is recommended to add exit; after header.

header('Location:user.html');
exit;

Otherwise, your code risks in continuing to execute.

$_SESSION['$email']="$email"; there is a dollar sign in ['$email']

It needs to read as ['email'].

Sidenote:

Your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements, they're much safer.

Footnote(s):

In regards to Location:user.html are you sure you want to use an .html file? If you're not instructing Apache to treat .html files as PHP and with no conditional statement to check if the session is set and equal to what you've assigned to it, then anyone can access that file.
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

It is recommended to use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.

As the chinese proverb goes: "Show a man how to fish, feed him for life."

edited May 23 '17 at 12:25

Community

1
1

answered Dec 19 '14 at 12:22

Funk Forty Niner

74,450
15
68
141

@ken You've very much welcome Ken, *cheers* Glad I could help. – Funk Forty Niner Dec 19 '14 at 12:40
so for the $_SESSION where should i put??is it within the if statement?since is a superglobal? – ken Dec 19 '14 at 12:41
@ken You can leave it where it is now. But add the underscore `$_SESSION['email']="$email";` and you don't need the quotes around `$email` - `$_SESSION['email']=$email;` - and there was a dollar sign in there which escaped me. – Funk Forty Niner Dec 19 '14 at 12:42
1

@Fred-ii- You're on a hot streak. It's like at least five accepted answers in a row. :) – John Conde Dec 19 '14 at 18:58
@JohnConde I guess I like to make sure of my shot before I go up to bat ;-) – Funk Forty Niner Dec 19 '14 at 18:59
@JohnConde Actually, it's more like 10 ;) – Funk Forty Niner Dec 19 '14 at 19:04
@Fred-ii- complete and detailed answer as usual ! :) – meda Dec 19 '14 at 23:49
@meda Aye, I figured I could explain it for the OP to understand where the faults were. Seems like it worked too :-) says they learned a lot. – Funk Forty Niner Dec 19 '14 at 23:50

score 1 · Answer 2 · answered Dec 19 '14 at 12:21

1

Update this

 $query = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' AND Password='$password' ");

And also correct the session super global from $SESSION to $_SESSION

answered Dec 19 '14 at 12:21

Bhavya Shaktawat

2,504
1
13
11

score 0 · Answer 3 · answered Dec 19 '14 at 12:23

0

You are doing an assignment here where you should be doing a comparison:

if($dbemail=$email&&$dbpassword=$password)

Should be

if($dbemail == $email && $dbpassword == $password)

Whitespace makes things more readable.

answered Dec 19 '14 at 12:23

andrunix

1,704
1
14
23

score 0 · Answer 4 · edited Dec 19 '14 at 12:28

0

the error in select query you forgot and operator

$query = mysqli_query($con,"SELECT * FROM user WHERE Email='{$email}' AND Password='{$password}' ");

And change the equle operator in if statment with === like this

if($dbemail===$email&&$dbpassword===$password)

I hope that works successfully

edited Dec 19 '14 at 12:28

andrew

9,313
7
30
61

answered Dec 19 '14 at 12:26

hamdy

46
4

I edited your answer, use 4 spaces for code blocks, and ` for smaller snippets. I didn't fix the spelling errors though – andrew Dec 19 '14 at 12:30

Luzan Baral · Answer 5 · 2014-12-19T12:37:35.123

Update your code

<?php
include('config.php');

    session_start();

    $errors=array();

 if ($_SERVER["REQUEST_METHOD"] == "POST"){

    $email = $_POST['email'];
    $password = $_POST['password'];

    if($email&&$password){

        //declare variable
        $query = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' AND Password='$password'");
        $numrows = mysqli_num_rows($query);

        //when user correct input,check the data 
        if($numrows !== 0) {
            while($row=mysqli_fetch_assoc($query)){
                $dbemail=$row['Email'];
                $dbpassword=$row['Password'];
            }
            //if username and password match
            if($dbemail==$email && $dbpassword==$password)
            {
                $_SESSION['$email']="$email";
                header('Location:user.html');
                die();
            }

            else
            {
                $errors['notcorrect'] = "Email or password not correct";
            }
        } 
        //when insert wrong data
        else{
            $errors['notexists'] = "This email doesn't exists";
        }
    }
    //when user didnt enter anything
    else{
        $errors['nothing'] = "Please enter your email and password";
    }
}

?>

@ken fixed `SQL` query changed `$SESSION` to `$_SESSION` and used `=` to `==` — Luzan Baral, Dec 19 '14 at 12:40

Users still can login although email and password that insert is wrong,why?

5 Answers5