-2
<?php

session_start();
include_once 'dbconnect.php';

if (isset($_SESSION['user']) != "") {
    header("Location: home.php");
}
if (isset($_POST['btn-login'])) {
    $email = mysql_real_escape_string($_POST['email']);
    $upass = mysql_real_escape_string($_POST['pass']);
    $res = mysql_query("SELECT * FROM telecomt_user WHERE email='$email'");
    $row = mysql_fetch_array($res);
    if ($row['password'] == md5($upass)) {
        $_SESSION['user'] = $row['user_id'];
        header("Location: home.php");
    } else {
        ?>
        <script>alert('wrong details');</script>
        <?php

    }
}
?>

This is my code for fetching data from database to let the user to log in by email and password. My table name is "telecomt_user". 

<form method="post">
    <table align="center" width="30%" border="0">
        <tr>
            <td><input type="text" name="email" placeholder="Your Email" required />  </td>
        </tr>
        <tr>
            <td><input type="password" name="pass" placeholder="Your Password" required /></td>
        </tr>
        <tr>
            <td><button type="submit" name="btn-login">Sign In</button></td>
        </tr>
        <tr>
            <td><a href="register.php">Sign Up Here</a></td>
        </tr>
    </table>

</form>

And this my html form code. The code works fine in localhost but when I uploaded it to my server it does not work. It always executes this line:

<script>alert('wrong details');</script>

Is it problem in my database? But I am using the same name and pattern what I used in my localhost and also my sign up form works with the same database. My "dbconnect.php" file is also okay. What is the problem?

bg17aw
  • 2,818
  • 1
  • 21
  • 27
M0GLI
  • 1
  • 4
  • 2
    mysql_* functions are deprecated in PHP 5, and COMPLETELY REMOVED in PHP 7. The reason for this is the mysql_* functions were no longer maintained, were out of date, only intended to work with versions of mysql that have been end-of-lifed, and horribly insecure. You need to switch to a more modern mysql interface library. – GordonM Jun 07 '16 at 10:02
  • if you put $email=$_POST['email']; and the pass too; what you got ? – Fahmi B. Jun 07 '16 at 10:03
  • what can I use instead of mysql_*.Please suggest me – M0GLI Jun 07 '16 at 10:19
  • use `var_dump($_POST)` on the top of your code to make sure you get the form, and post the content of `dbconnect.php` file as well. You should also have a `var_dump($row)` to make sure your query actually works. – bg17aw Jun 07 '16 at 10:20
  • if I put $email=$_POST['email']; and the password too I got the same line executing error : wrong details. – M0GLI Jun 07 '16 at 10:24
  • 1
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 07 '16 at 12:01
  • 1
    Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 07 '16 at 12:02
  • 1
    You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 07 '16 at 12:03
  • Have you checked your error logs for the *actual* error? You're making an assumption the query is working. Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Jun 07 '16 at 12:05
  • When I change my mysql text type from VARCHAR to TEXT, It started working – M0GLI Jun 08 '16 at 14:10

3 Answers3

-1

instead of $row['password'] , can you try to type the column of the password in the string, for example $row[0] (if password column is the first column).

Fatih Çakmak
  • 9
  • 3
-1

I think you have to put break point in each condition like 

if(your condition){
  echo "something";exit;
}else{
  echo "nothing";exit;
}
user3447328
  • 1
  • 1
-2

Better to do checking on query only email and password 

$res=mysql_query("SELECT * FROM telecomt_user WHERE email='$email' AND password='md5($upass)'");
$row=mysql_fetch_array($res);

Now condition login or not 

if(count($row)>=1){
//login
}else{
// credentials wrong message
}
srinivas
  • 109
  • 12
  • $res=mysql_query("SELECT * FROM telecomt_user WHERE email='$email' AND password='md5($upass)'"); $row=mysql_fetch_array($res); if(count($row)>=1) { $_SESSION['user'] = $row['user_id']; header("Location: home.php"); } else {....} used in this way now it is not showing error line but does not log in. It remains in the same page index.php but it supposed to go to home.php – M0GLI Jun 07 '16 at 10:17
  • ob_start(); please keep these tag in top of the document.It will definately redirected for sure. – srinivas Jun 07 '16 at 10:20