-1

I've been stuck on this issue for 3 days now. I'm trying to make a login form (I've already created a register form) and the database is working too. But now while I'm trying to make the login form, I've noticed that PHP only takes the last row from the database.

1

As you can clearly see in the first picture, my database has 3 records.
But when I try to log in on my account, it only lets me log in to the most recently created account, and not the others. Here's my current code:

<div class="login-form">
    <form method="POST">
        <p style="float:left;">
            <input type="email" class="login-input" maxlength="40" name="login-email" id="login-email" placeholder="email" required><span style="color: red;">&nbsp;*</span><br><br>
             <input type="password" class="login-input" maxlength="32" name="login-passw" id="login-passw" placeholder="password" required><span style="color: red;">&nbsp;*</span><br><br>
             <input type="submit" class="btn" name="login-btn">
         </p>
         <?php
         $email = $_POST["login-email"];
         $passw = $_POST["login-passw"];
         $encrypted_passw = md5($passw);

         $sql = "SELECT id, email, passw FROM users";
         $result = $db->query($sql);

         // if (isset($_POST["login-btn"])) {
         //     if ($_POST["login-email"] == $result["email"]) {
         //         echo "<p>Logged in</p>";
         //     } else {
         //         echo "<p>wrong</p>";
         //     }
         // }
         while ($row = $result->fetch_assoc()) {
             $get_email = $row["email"];
             $get_usr = $row["username"];
             $get_passw = $row["passw"];
         }

         if (isset($_POST["login-btn"])) {
             if ($_POST["login-email"] == $get_email && $encrypted_passw == $get_passw) {
                 echo "<p>Logged in</p>";
             } else {
                 echo "<p> wrong</p>";
             }
        }
        ?>
    </form>
</div>
jrswgtr
  • 2,287
  • 8
  • 23
  • 49
NikkieDev
  • 236
  • 3
  • 12
  • 2
    I know you're excited, but please try to keep your language under control. Think of Stack Overflow as more like Wikipedia than like Reddit. – Suraj Rao Dec 11 '21 at 13:10
  • 3
    Change your logic to do a lookup on the email address. ‘Where email=provided-email’. Then check the supplied password and email match. You are currently iterating through each row and overwriting get_email each time hence why when you do the comparison it’s comparing the last result – atoms Dec 11 '21 at 13:27
  • 1
    Please please [please read this](https://www.php.net/manual/en/faq.passwords.php) about password hashing. md5-hashed passwords are almost as easy to hack as unhashed passwords. – O. Jones Dec 11 '21 at 14:06
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Dec 12 '21 at 23:43

3 Answers3

2

Try this. First of all I would place the php code above the HTML.

You only need to listen the post param login-btn. Read the other post data into vars and confirm its there before proceeding.

When you poll the DB you dont need to read every record (imagine you have thousands of records, you wouldn't want to pull them all down). Just filter for the supplied email with a where clause.

If the email exists it will return a result with the hashed password. Verify this matches and you are good to go.

The issue you're having where the last record in the db is beiung used is becuase in your loop, you are overwriting the var $get_email each time.

<?php
if (isset($_POST["login-btn"])) {

    $email = (isset($_POST["login-email"]) ? $_POST["login-email"] : '');
    $passw = (isset($_POST["login-passw"]) ? $_POST["login-passw"] : '');

    if($email != "" && $passw != ""){

        $encrypted_passw = md5($passw);    

        $mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');
        $stmt = $mysqli->prepare("SELECT email, passw FROM users where email = ?");
        $stmt->bind_param($email);
        $stmt->execute();

        while ($row = $result->fetch_row()) {

            $get_passw = $row["passw"];

            if($encrypted_passw == $row['passw']){
                echo "logged in";
            }else{
                echo 'no match';
            }
        }
    }
}    
?>

<div class="login-form">
    <form method="POST">
        <p style="float:left;">
            <input type="email" class="login-input" maxlength="40" name="login-email" id="login-email" placeholder="email" required><span style="color: red;">&nbsp;*</span><br><br>
            <input type="password" class="login-input" maxlength="32" name="login-passw" id="login-passw" placeholder="password" required><span style="color: red;">&nbsp;*</span><br><br>
            <input type="submit" class="btn" name="login-btn">
        </p>
    </form>
</div>
atoms
  • 2,993
  • 2
  • 22
  • 43
-1

Gottem! I was using array's instead of values

<?php            
session_start();
include_once "../php/db_connect.php";
            if (isset($_POST["login-btn"])) {
                
                $email = $_POST["email"];
                $passw = $_POST["passw"];
                $encrypted = md5($passw);
                
                $sql = "SELECT * FROM users WHERE email = '". $email ."'";
                $result = $db->query($sql);
                $get_result = $result->fetch_assoc();

                if ($encrypted == $get_result["passw"]) {
                    echo "<p>Logged in!</p>";
                    $_SESSION["username"] = $get_result["username"];
                    $_SESSION["id"] = $get_result["id"];
                    $_SESSION["email"] = $get_result["email"];
                    Header("Location:../../../");
                } else {
                    echo "<p>Error</p>";
                }
            }
            ?>
NikkieDev
  • 236
  • 3
  • 12
  • try putting this in the email field and submitting the form. It will delete everything in the table. You can't build applications with holes in like this. Read up about sql injection. `'; TRUNCATE users;` – atoms Dec 12 '21 at 15:34
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Dec 12 '21 at 23:44
  • People, they can't use Truncate users in the email field as it's set as a required email input and thus requires an @ to be present – NikkieDev Dec 13 '21 at 15:56
  • But to calm all of you down, I've changed it to an STMT statement – NikkieDev Dec 13 '21 at 17:19
-2

change your query to this

"SELECT id, email, passw FROM users where email='".$row["email"]."' and password= '".$row["password"]."'"

you do not need to use foreach for all rows this query return only one row that you need

Reza
  • 7
  • 3