0

Okay so my problem here is that I try to make a login page for a website and it lets me login with wrong username and password, the js part is the one I think I have a problem with but here are my codes for the 3 things where there may be some problems

JS on the login.php:

<script type="text/javascript">
$(function(){
  $('#login').click(function(e){

    var valid = this.form.checkValidity();
    if (valid) {
      var username = $('#username').val();
      var password = $('#password').val();
      e.preventDefault();
      $.post('jslogin.php',
        {
          username: username,
          password: password
        },
        function(data,status){
          if (status === 'success') {
            Swal.fire(
              'Successful',
              'You logged in successfully',
              'success'
            ).then(function() {
              window.location = "index.php";
            })
          }else{
            Swal.fire(
              'Error',
              "We couldn't log you in with what you just entered!",
              'error'
            ).then(function() {
              window.location - "login.php";
            })
          }
        });
    }else {
    }
  })
});
jslogin.php from the ajax command 
<?php
require_once('config.php');

$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM users WHERE username = ? AND password = ? LIMIT 1";
$stmtselect = $db->prepare($sql);
$result = $stmtselect->execute([$username, $password]);

if ($result) {
    $user = $stmtselect->fetch(PDO::FETCH_ASSOC);
    if ($stmtselect->rowCount() > 0) {
        echo '1';
    }else{
        echo 'there is no user for what you have entered!';
    }
}
else{
    echo 'error at connecting to database';
}
?>

config.php from jslogin.php

<?php

$db_user = "root";
$db_pass = "";
$db_name = "user accounts";

$db = new PDO('mysql:host=localhost;dbname=' . $db_name . ';charset=utf8', $db_user, $db_pass);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
Dharman
  • 30,962
  • 25
  • 85
  • 135
user15047314
  • 1
  • 2
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Jan 20 '21 at 19:49
  • I know this is a different topic, but does this answer help you? https://stackoverflow.com/a/65809692/1839439 Basically, you need to remove `if ($result) {` as it will always be true – Dharman Jan 20 '21 at 19:51
  • **WARNING**: Writing an access control layer is not easy and there are many opportunities to get it severely wrong. Any modern [development framework](https://www.cloudways.com/blog/best-php-frameworks/) like [Laravel](http://laravel.com/) comes with an [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text** or a weak hash like **SHA1 or MD5**. – tadman Jan 20 '21 at 19:54
  • If you're just getting started with PHP and want to build applications, I'd strongly recommend looking at various [development frameworks](https://www.cloudways.com/blog/best-php-frameworks/) to see if you can find one that fits your style and needs. They come in various flavors from lightweight like [Fat-Free Framework](https://fatfreeframework.com/) to far more comprehensive like [Laravel](https://laravel.com/). These give you concrete examples to work from and guidance on how to write your code and organize your project's files. – tadman Jan 20 '21 at 19:54
  • Also, this should explain your problem: https://stackoverflow.com/questions/11974613/pdo-php-check-if-row-exist – Dharman Jan 20 '21 at 19:56

1 Answers1

1

It's always "success" because the response code is 200. You need to modify your PHP so it sends a different status code (like 401) when the credentials are wrong. See https://www.php.net/manual/en/function.http-response-code.php

SameOldNick
  • 2,397
  • 24
  • 33