php/html5 login authentication

Question

I am trying to authenticate a user in a MYsql database. I have tried so many tutorials to just fail every time. I am pasting my code below, I dont care about security or sql injection right now. I am just trying to get this to work so I can go on to my next requirement. If anybody has any links to a GOOD php/html5 login authentication tutorial then please share. I easily was able to create a registration form but this login form is really giving me difficulties.

$id =$_POST['Id'];
$password =$_POST['password'];
$accessdb = "SELECT * from UserData where Id ='$id' and password ='$password";
            $authenticate = mysqli_query($conn, $accessdb);
                    if (mysqli_num_rows($authenticate) == 1) {
                       session_start();
                        $_SESSION['auth'] = 'true';
                        header('location: Profile.php');
                    }
                    else {
                        echo "Wrong log-in credentials";
                    }

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Jun 24 '16 at 15:31
**Danger**: "Not hashing at all" is [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php); you need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. — Quentin, Jun 24 '16 at 15:32
He states he doesn't care about security or sql injections @Quentin — Luke Garrigan, Jun 24 '16 at 15:33
Protecting against SQL injection problems also protects against other kinds of failure. Care about these things up front. Learning how to do something wrong is a waste of time. — Quentin, Jun 24 '16 at 15:36
It doesn't matter how you _feel_ is the best way to learn, Andy has a problem with his code and needs help with it. Your comments are worthless and unnecessary. You're just reiterating exactly what he didn't want in his comment section. @Quentin — Luke Garrigan, Jun 24 '16 at 15:38
"If anybody has any links to a GOOD php/html5 login authentication tutorial then please share" — Requests for off-site resources are off-topic on Stackoverflow. — Quentin, Jun 24 '16 at 15:42
"this login form is really giving me difficulties" — You forgot to tell us what difficulties those were. — Quentin, Jun 24 '16 at 15:43
@Fubar — Implementing standard defences against SQL injection could well fix the problem. It isn't a waste of time. — Quentin, Jun 24 '16 at 15:44
Never said it was a waste of time? give me an example when implementing SQL injection defences could fix an authentication issue.. @Quentin — Luke Garrigan, Jun 24 '16 at 15:45
@Fubar — Where one of the submitted values includes a character with special meaning in SQL. Implementing the standard defences will cause it to be treated as data instead of an SQL special character. For example, if the password contained an apostrophe. — Quentin, Jun 24 '16 at 15:46
Well of course, but do you really think that's going to be the underlying problem with his current code? I doubt it.. @Quentin — Luke Garrigan, Jun 24 '16 at 15:48
@Fubar — It's possible, and it would do no harm. As I implied before, the question is unanswerable since it doesn't say what the problem is. — Quentin, Jun 24 '16 at 15:49
the if-else statement always echo's "wrong log-in credentials" — Drizzle53, Jun 24 '16 at 15:50

score 0 · Accepted Answer · answered Jun 24 '16 at 15:39

0

First of all, session_start() should be the very first thing on your page and should be on all the pages you want your user authenticated to get access to.

Then, you need to correct your query $accessdb like so:

$accessdb = "SELECT * FROM userdata WHERE id = {$id} AND password ='{$password}'";

NB: not sure if $id is a number. If it's not, then do: '{$id}' instead of {$id}.

answered Jun 24 '16 at 15:39

Nicholas Kajoh

1,451
3
19
28

"First of all, session_start() should be the very first thing on your page" — generally good advice, but since there is no sign of anything which generates output before it, irrelevant. – Quentin Jun 24 '16 at 15:40
`$accessdb = "SELECT * FROM userdata WHERE id = {$id} AND password ='{$password}'";` — That change is pointless. Standard interpolation rules give the same result either way. The only significant thing you've done there is remove the `'` around the id value, which will break it if the id isn't a number. – Quentin Jun 24 '16 at 15:40
Oh, and you've changed the case of the table name, which might also break it since table names are case sensitive on some platforms. – Quentin Jun 24 '16 at 15:41
@Quentin - I know, I just did that due to preference. The point is the curly braces `{...}`. – Nicholas Kajoh Jun 24 '16 at 15:43
As I said, the curly braces make no difference whatsoever. – Quentin Jun 24 '16 at 15:44
`$foo = "testing"; if ("1 $foo 1" == "1 {$foo} 1") { echo "No difference"; }` – Quentin Jun 24 '16 at 15:45
password is a number.. Id is the username by which it can be any character – Drizzle53 Jun 24 '16 at 15:49
Okay, use `'...'` for string input. – Nicholas Kajoh Jun 24 '16 at 15:50

score 0 · Answer 2 · answered Jul 13 '16 at 17:02

        $password =$_POST['password'];
        $user = "SELECT * FROM UserData WHERE Id ='$id'";
        $authenticate = $conn->query($user);
        $row = $authenticate->fetch_assoc();
        $hash_password = $row['password'];
        $hash = password_verify($password, $hash_password);
        if ($hash ==0) {
            echo "Something went wrong!!";
            header('Location: LogIn.php');
            exit();
        }
        else {
       `enter code here`$accessdb = "SELECT * FROM UserData WHERE Id ='$id'                                                      
        AND    password = '$hash_password'";
            $authenticate = $conn->query($accessdb);
                if (!$row = $authenticate->fetch_assoc()) {
                     echo "Your username is incorrect, Re-enter CREDENTIALS";
            }
                 else {
                     $_SESSION['id'] = $id;
                     header('Location: Profile.php');
                }
        }

php/html5 login authentication

2 Answers2