0

I have a simple admin panel on my site, where you can get access by entering your username and password. But for some reason it does not work. What could be the problem?

validate.php:

if($_SERVER['REQUEST_METHOD'] == 'POST'){

      $sql = $connection->prepare("SELECT login, password FROM adminpanel WHERE login=? AND password=?");
      $login = $_POST['login'];
      $password = $_POST['password'];
      $sql->bind_param('ss', $login, $password);
      $sql->execute();

            if($sql->num_rows == 1){
            $_SESSION['user'] = $login;
                header('location: ../admin.php');
            }else{
                $_SESSION['logwarning'] = 'Wrong login or password!';
                header('location: ../login.php');
            };
      $connection->close();
    };

login.php:

<form action="configs/validate.php" method="POST">
  <img class="mb-4" src="img/main/logo.png" alt="Logo" width="90">

  <input type="text" name="login" value="<?= $_POST['login'] ?? ''; ?>" id="inputLogin" class="form-control mb-1" placeholder="Login" required="" autofocus="" autocomplete="on">

  <input type="password" name="password" id="inputPassword" class="form-control mt-1" placeholder="Password" required="" autocomplete="on">
  <input type="hidden" name="token" value="<?= $_SESSION['token']; ?>">
  <button class="w-100 btn btn-lg btn-primary" type="submit">Sign in</button>
</form>

Also, in case of an indefinite attempt to enter data, I want the entered name value (login field) not to disappear. I added this value there from the $_POST variable, but for some reason it is not saved.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Hi_TecH
  • 427
  • 5
  • 21
  • 1
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Feb 15 '21 at 21:21
  • 1
    Remove `if($sql->num_rows == 1){` – Dharman Feb 15 '21 at 21:22
  • 1
    If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo & https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection – Dharman Feb 15 '21 at 21:22
  • 1
    Next time, please just search "mysqli prepared statement num_rows" We have plenty of answers already that solve this problem – Dharman Feb 15 '21 at 21:24
  • @Dharman,I only use it for the admin panel, the site does not have an authorization / registration system. The administrator will enter the password into the database himself. Shouldn't I do that anyway? – Hi_TecH Feb 15 '21 at 21:24
  • 1
    Even so, you should not do it this way. This is very error prone and unnecessary. You should never store passwords on the server, doesn't matter what these passwords are. Use `password_hash()` as it is simple and solves many problems. – Dharman Feb 15 '21 at 21:25
  • Then how do I manually enter the encrypted password? Or should I now create an authorization system for the admin? But if someone finds a link to authorization, the administrator will need to add a field, for example 'role', where to enter the value manually in the database? – Hi_TecH Feb 15 '21 at 21:28
  • 1
    You should never encrypt passwords either. You should only store hashes of passwords. You can generate a password hash and then enter it into the database as you would any other value. [See here what is the sample output of password_hash](https://3v4l.org/GnJ4k) – Dharman Feb 15 '21 at 21:30
  • Thank you, I will try to figure it out. I also wanted to ask, is there a performance difference between mysqli and PDO? – Hi_TecH Feb 15 '21 at 21:33
  • 1
    There is a negligible performance difference. You will never notice it though. For all intents and purposes, you can assume they are the same in terms of performance. PDO is better because it has easier syntax and you won't be making mistakes like this with PDO. – Dharman Feb 15 '21 at 21:35
  • On my second question, can you assume why the 'login' field value is not saved on the 'submit' event? – Hi_TecH Feb 15 '21 at 21:43

0 Answers0