-1

I'm trying to make Login system to my project, but I don't know how can I check if the password that the user typed is correct.

Login.php

<?php

error_reporting(E_ALL);
ini_set('display_errors', 1);
require_once("guest.php");
require_once("db.php");

$error = "";

global $tf_handle;
$gb = new guest();

if(isset($_POST['login']))
{

  $u_email    = mysqli_real_escape_string($tf_handle, $_POST['email']);   

  $u_password   = mysqli_real_escape_string($tf_handle, $_POST['password']);

  $check = $gb->email_exist($tf_handle,$u_email); // check if email exist in database

  if($check) // if true
  {
    //check if the password is right 
    $chpassword = mysqli_query($tf_handle,"SELECT * FROM `users` WHERE `email` = '$u_email' AND `password` = '$u_password'");

    if($chpassword) 
    {
      $error = "Thanks for loggin , you will be redirected...";
      header( "refresh:3;url=index.php" );      
    }
    else
    {
      $error = "Email Doesn't Exist";
    }

  }
  else
  {

    $error = "Wrong information";

  }
}

?>

<!doctype html>
<html>
  <head>
    <title>Login Page</title>
    <link rel="stylesheet" href="css/styles.css" />

  </head>
  <body>
     <div id="error" style="<?php if ($error !=""){?> display:block;<?php }?>"><?php echo $error;?></div>
      <div id="wrapper">

        <div id="menu">
            <a href="Registration.php">Sign Up</a>
            <a href="Login.php">Login</a>
        </div>  
        <div id="formDiv">

            <form method="POST" action="Login.php"> 
              <label>Email:</label><br/>
              <input type="text" name="email" class="inputFields" required /><br/><br/>

              <label>Password:</label><br/>
              <input type="password" name="password" class="inputFields" required /><br/><br/>

              <input type="checkbox" name="keep" />
              <label>Keep me logged in</label><br/><br/>


              <input type="submit" name="login" class="theButtons" value="Login!" />
            </form>  

        </div>

      </div>

  </body>
</html>

guest.php

<?php

require_once('db.php');
class guest
{

function email_exist($email,$con)
{
    $result = mysqli_query($con,"SELECT * FROM `users` WHERE `email` = '$email'");
    if(mysqli_num_rows($result) == 1)
    {
        return true;
    }
    else
    {
        return false;   
    }
}

}

The problem is in the line below:

$chpassword = mysqli_query($tf_handle,"SELECT * FROM `users` WHERE `email` = '$u_email' AND `password` = '$u_password'");

or the email_exist() function

It makes me log in, even if the password is wrong.

smile
  • 117
  • 3
  • 16
  • You really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Sep 14 '15 at 17:34
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php). – Jay Blanchard Sep 14 '15 at 17:34

3 Answers3

0

You used an if() statement. You're just declaring the variable $chpassword and thereby calling the SQL Query. This succeeds, so the condition is true. It doesn't really check if it's the same with the password from the database.

Take a look here

You would want something like this:

$query = mysql_query("select * from login where password='$password'
    AND username='$username'", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {
    ...
}
Matthijs van Hest
  • 769
  • 1
  • 6
  • 12
  • No !! i tried but this isn't the problem can you check email_exist function with me – smile Sep 14 '15 at 16:47
  • You're using both wrong. Take a look at the operatos. You shouldn't be using a single `=` as this just says if the query succeeded. It doesn't obtain any data and doesn;t do any validation. – Matthijs van Hest Sep 14 '15 at 16:49
  • Catchable fatal error: Object of class mysqli could not be converted to string in /var/www/html/guest/guest.php on line 77 i get this error now in this line $result = mysqli_query($con,"SELECT FROM users WHERE email = '$email'") – smile Sep 14 '15 at 17:20
  • this error solved but same problem if(mysqli_num_rows($chpassword) > 0) still same problem – smile Sep 14 '15 at 18:05
0

According to the man page, mysqli_query will return a result even if there are no rows, you need to do something like the following:

$chpassword = mysqli_query($tf_handle,"SELECT * FROM `users` WHERE `email` = '$u_email' AND `password` = '$u_password'");

if($chpassword->num_rows > 0) {
       /* do your login stuff */
} else {
    /* do not logged in stuff */
}

Also as a side note, I would not store passwords in plain text, I would use something like hash_pbkdf2 to store the passwords in an encrypted fashion.

P.Yntema
  • 576
  • 2
  • 9
  • 29
Severun
  • 2,893
  • 1
  • 16
  • 22
  • Catchable fatal error: Object of class mysqli could not be converted to string in /var/www/html/guest/guest.php on line 77 i get this error now in this line $result = mysqli_query($con,"SELECT FROM users WHERE email = '$email'"); – smile Sep 14 '15 at 17:10
  • can you check email_exist function first please ? :) – smile Sep 14 '15 at 17:12
  • It does not appear that you are setting $tf_handle, you need something like: $tf_handle = mysqli_connect(......). I assume you are setting it in db.php, but that could be an issue. Also you should be using bind_param as @Linesofcode suggested so that you are not vulnerable to SQL injection issues. – Severun Sep 14 '15 at 20:22
0

Create a class that will handle that for you. You're writting too much code.

class users
{
   private $mysqli;

   public function __construct()
   {
       $this->mysqli = new mysqli('localhost', 'root', '', 'yourDatabase');
       $this->mysqli->set_charset("utf8");
   }

   public function isLoginValid($email, $password)
   {
      $query = $this->mysqli->prepare("SELECT email
                                       FROM users
                                       WHERE email = ? AND password = ?");
      $query->bind_param("ss", $email, $password);
      $query->execute();
      $query->store_result();

      return ($query->num_rows >= 1 ? TRUE : FALSE);
   }
}

Now the only thing you need to do is call the class and the function. If (and I hope so) you use files to separate the classes do the following:

require_once('users.php');

$user = new users();

if($user->isLoginValid('stack@stackoverflow.com', '123456') == FALSE)
{
   echo 'Hold on, there was a problem..';
   return;
}

/*
 * 1. Set the session
 * 2. Set the cookie
 * 3. Redirect the user
 */
Linesofcode
  • 5,327
  • 13
  • 62
  • 116