0

I have a problem with my login form, because if I put some text in password field and empty in the user/email field it the form will execute and redirect to index page.

this the site http://www.itbotics.com/login.php

other validations is ok, I just want to make it safe. thanks

this is my code

                    if ($user == $email && $pass = $password) {
                        session_start();
                        $_SESSION['mysesi'] = $name;
                        $_SESSION['user'] = $user;
                        echo "<script>window.location.assign('index.php')</script>";
                    } elseif (empty($email) || empty($password)) {
                        ?>
                        <div class="alert alert-danger alert-dismissible" role="alert">
                            <button type="button" class="close" data-dismiss="alert"><span aria-hidden="true">×</span><span class="sr-only">Close</span></button>
                            <strong>Warning!</strong> Please fill out all fields.
                        </div>
                        <?php
                    } else {
                        ?>
                        <div class="alert alert-danger alert-dismissible" role="alert">
                            <button type="button" class="close" data-dismiss="alert"><span aria-hidden="true">×</span><span class="sr-only">Close</span></button>
                            <strong>Warning!</strong> Incorrect combination of Email Address and Password.
                        </div>
        <?php
    }
}
Improve this question
6
  • I assume that you don't have required attributes in your form, so $user==$email can be equal && $pass=$password will always be equal because its an assignment Commented Jun 15, 2016 at 3:29
  • I sorry I will update the code because the $user and $pass is the data from the database Commented Jun 15, 2016 at 3:32
  • 1
    Another assumption. If you are using database , then there is no need to check if provided email and password are empty coz anyway database query will fail. And you might consider it doing before searching database or at client side Commented Jun 15, 2016 at 3:41
  • Now I realize, thanks a lot sir Commented Jun 15, 2016 at 3:43
  • its perfectly working now...thanks Commented Jun 15, 2016 at 3:50

3 Answers 3

Reset to default
2

I got it, maybe solution of your problem is here

if ($user == $email && $pass = $password) {

It should be: 

if ($user == $email && $pass =**=** $password) {
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Use &&(and) instead of ||(or)

Here

use this elseif (empty($email) && empty($password))

instead of elseif (empty($email) || empty($password))

Because in your condition if user enter any of the one either username or password then your condition become true.

So you have to use &&(AND) operator instead of ||(OR)

Improve this answer

Comments

0

Change

 if ($user == $email && $pass = $password)

to 

if ($user == $email && $pass == $password)

You already got your answer but here are few suggestions that may be good for you.

Do basic form validation all client side like

<input type="email" required >

Will do email validation for you

<input type="password" required minlength="6" >

Will take password of min length 6 character. You don't have to check it. Also "required" field makes sure that user can left those fields blank. HTML5 browser are required for those but I think most of the world have it.

In your php, do input validation before you execute database queries.

Improve this answer

2 Comments

but using required can be edit by user through inspect element. also the password is auto generated by the system
I didn't mean that you should have only that. Its a layer of validation. Most of the basic users don't do this kind of inspect elements things. For those who do, you are also checking validation in php. So not a problem. Just try to use browsers feature to make your life easy

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.