0

I am trying to make a login form with php and mysql and failed from past 3 days.

I have basically php form and on the same page the scripting for logging the user into the website.

form.php

<form id="superAdminForm" method="post" action="">
   <input type="email" name="email" required class="txtInput" placeholder="Email..." autocomplete="off"/> <br />
   <input type="password" name="password" required class="txtInput" placeholder="Password..."/> <br />
   <input type="submit" name="submit" value="Enter" id="submit" />
</form>

php code for form.php

<?php
    require("../php_includes/db-connect.php");

    if (isset($_POST["submit"])) {
        $email = $_POST["email"];
        $password = $_POST["password"];

        $sql = "SELECT * FROM users WHERE email='$email' AND password='$password' LIMIT 1";
        $query = mysqli_query($con, $sql);

        $row = mysqli_fetch_array($query);

        if ($row['email'] == 1) {
            header("Location: admin-index.php");
        }
    }

    mysqli_close($con);

?>

The problem is that the login is not getting successfull. I don't know the reason behind it. So please help me in this. Also guide me where I am making mistakes.

I am new in PHP and am trying my best to cope up with my knowledge.

Improve this question
4
  • 2
    Your code is vulnerable to SQL injections !! Commented Sep 17, 2013 at 15:48
  • what does the select return ? Commented Sep 17, 2013 at 15:49
  • Agreed. I refrained from saying so in my answer, but I'd suggest looking into PDO for PHP (there are countless debates on the best way to handle PHP/database interaction, but that is my personal favorite) Commented Sep 17, 2013 at 15:50
  • You will also need to use php's sessions for this to work properly Commented Sep 17, 2013 at 15:50

3 Answers 3

Reset to default
1

1.. Talking about security

your code is vulnerable to sql injection so even if it will work its not useful

enter image description here

^^ source

' or '1'='1' /* ' will do magic

so either use mysqli_real_escape_string function For manually escaping special characters in string or Use prepared statements and parameterized queries(Recommended).

2.. email='$email' AND password='$password' LIMIT 1";

so why not email should be unique or check when login that email is already exist or not and if exist than show the error message like (Email already exist)

so you wont need to use limit 1 which really makes no sense

3.. Why are you not setting login id or something in SESSION so that you can determine that use is logged in

your above login script does nothing it just check weather the email and password is present in database or not

4.. plan text as password is really bad idea instead use Hashing check this How do you use bcrypt for hashing passwords in PHP?

Good Read

  1. How can I prevent SQL injection in PHP?
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

@Mehul Bawadia check those videos Password Storage (And Hacking) in PHP and Password Hashing in PHP
@Freelancer there is always xkcd for everything ;)
1

I think that what you need to do is to separate your view logic from your authentication logic. Move the PHP block into its own file, and set the action parameter of your form to that file (relative location).

This is because all of that php code is interpreted by the server before being sent to the client, and so this form can't actually utilize that PHP logic in the same page.

You'll also probably want to write a fallback in case authentication fails that will redirect you back to the login page (or wherever you'd like), otherwise the user will be left with a white screen.

EDIT

As stated by others, you should look into security and especially hooking into $_SESSIONs. Your code is also going to need some work. I don't think $row['email'] == 1 will ever be true, and so your script will fail and ultimately do nothing. Again, add an else statement to handle authentication failure.

As far as a fix, I'd suggest comparing $row['email'] == $email in the if, but that would also make the email check in your SQL query redundant. I'd suggest restructuring your logic.

Improve this answer

2 Comments

I did as you said, but am getting a blank screen, what to do now ?
Updated answer for ya
0 
rows=mysqli_num_rows( $query);
if ($rows == 1) {
     header("Location: admin-index.php");
}

You are comparing an array to an int,use the code above.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.