-1

How do I add Login Details confirmation if incorrect? what I want to happen is when the user puts his/her credentials their userID and Password are correct but the user type is wrong if the user presses the login button it will say "incorrect credentials" and same goes with userID and Password if they input the wrong credentials

<?php
include "includes/config.php";

session_start();
if(isset($_POST['loginbutton'])){

$username = $_POST['username'];
$password = $_POST['password'];
$usertype = $_POST['usertype'];

if ($username != "" && $password != ""){
   
    $sql_query = "SELECT * FROM tbl_useraccounts WHERE employee_id='".$username."' and password='".$password."' and usertype='".$usertype."'";
    $result = mysqli_query($con,$sql_query);
    while ($row=mysqli_fetch_array($result)) {
        if ($row['employee_id']==$username && $row['password']==$password && $row['usertype']=='Admin'){
            $_SESSION['username'] = $_POST['username'];
          header('location: home.php');
        }
        elseif ($row['employee_id']==$username && $row['password']==$password && $row['usertype']=='SuperAdmin') {
           $_SESSION['username'] = $_POST['username'];
           header('location: HomeForSuperAdmin.php');
        }      
}
}
}


?>
Rappa Ashura
  • 15
  • 6
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Nov 27 '20 at 17:38
  • What have you tried so far? The code does not contain any checks for wrong credentials – Nico Haase Nov 27 '20 at 17:39
  • @NicoHaase I have not yet put any code to try if the credentials are incorrect. I am still looking for answers over the internet. – Rappa Ashura Nov 27 '20 at 17:42
  • `if(!password_verify(/* ... */)){ echo 'Invalid credentials';}` – Dharman Nov 27 '20 at 17:43
  • Look at what I have written some time ago https://stackoverflow.com/questions/64175904/maching-users-from-username-to-user-group/64184399#64184399 – Dharman Nov 27 '20 at 17:43
  • @Dharman i have not fully understood your solution because I am still fresh from php. – Rappa Ashura Nov 27 '20 at 18:13

1 Answers1

-2

Dharma Is correct!

You are wide open to SQL Injections and should use parameterized prepared statements instead of manually building your queries!

If you embed a string in some SQL targeting MySQL, you must escape the string with MySQL's function for this purpose (mysqli_real_escape_string) and trigger db query to input on failed login.

Modified code:

     <?php
    include "includes/config.php";
    
    session_start();
    if(isset($_POST['loginbutton'])){
    
    $username = $_POST['username'];
    $password = $_POST['password'];
    $usertype = $_POST['usertype'];
    $loginFlag = true;
    
    if ($username != "" && $password != ""){
    
        $sql_query = "SELECT * FROM tbl_useraccounts WHERE employee_id='".$username."' and password='".$password."' and usertype='".$usertype."'";
        $result = mysqli_query($con,$sql_query);
        while ($row=mysqli_fetch_array($result)) {
            if ($row['employee_id']==$username && $row['password']==$password && $row['usertype']=='Admin'){
                $_SESSION['username'] = $_POST['username'];
              header('location: home.php');
              $loginFlag = true;
            }
            elseif ($row['employee_id']==$username && $row['password']==$password && $row['usertype']=='SuperAdmin') {
               $_SESSION['username'] = $_POST['username'];
               header('location: HomeForSuperAdmin.php');
               $loginFlag = true;
                } 
         else {
              $loginFlag = false;
         }
        }
        }
        if($loginFlag == false){
    #real_escape_string is used to prevent sql injection
    $username = real_escape_string($_POST['username']); 
    $password = real_escape_string($_POST['password']);
    $usertype = real_escape_string($_POST['usertype']);
# query assume table name log
           $sql_query = "INSERT INTO log (username, password, usertype, ip_address)
VALUES ('$username ', '$password ', '$usertype ', '".$_SERVER['REMOTE_ADDR']."')";

        }
      }    
    
    ?>
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Ayush Sharma
  • 31
  • 1
  • security is still not in my lessons yet. but this gives me an Idea on how sql injection works. but thank you for putting these in. I still have a problem on how will the login notify the user if they put in the wrong credentials. – Rappa Ashura Nov 27 '20 at 18:23
  • U can return data on request on login fail and check on the client side like 200 420 ... – Ayush Sharma Nov 27 '20 at 20:09
  • That code is still vulnerable to SQL injection - please do not advise to use such vulnerable code, especially if you claim to avoid it – Nico Haase Nov 27 '20 at 22:12