1

I have been trying my best at the review and pursue section for chapter 15 of Larry Ullman's PHP and MySQL book 4th edition, login_ajax.php, where it said:

Modify login_ajax.php so that it uses a database to confirm successful login.

This is what I've tried so far, whatever I do, the response I get seems to always be "INCORRECT" and then the ajax script never logs me in.

My code so far:

<?php

if (isset($_GET['email'], $_GET['password'])){

$email = $_GET['email'];
$password = $_GET['password'];

// Need a valid email address:
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {

    // must match specific values:
    // This values will be gotten from a database

    require('../mysqli_connect.php');

    // retrieve from database

    $q = "SELECT email, pass FROM users WHERE email = '$email'LIMIT 1";

    // run the query
    $r = @mysqli_query($dbc, $q);


    //$check_email = "";
    //$check_pass = "";

    /*while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC)) {

        $check_email = $row['email'];
        $check_pass = $row['pass'];

    }*/   // if the email and password match those in database

    //if (($email == $check_email && $password == $check_pass)) {
    if (mysqli_num_rows($r) > 0) {

        echo 'CORRECT';


    } else {

        echo 'INCORRECT';
    }



    mysqli_close($dbc);


    /*    if(($_GET['email'] == '[email protected]') && ($_GET['password'] == 'testpass')){

            //Set a cookie, if you want, or start a session.
            // indicate  success:
            echo 'CORRECT';

        }else{// mismatch

            echo'INCORRECT';
        }*/
}else{ // invalid email

    echo 'INVALID_EMAIL';
}

}else{ // missing one of the two variables

echo 'INCOMPLETE';

}

It contains my different tries.

Improve this question
6
  • 6
    Need space before limit '$email' LIMIT 1"; Better use prepare statement. Remove @ before mysqli_query Commented Aug 3, 2017 at 13:01
  • 1
    remove @ sign from @mysqli_query so that you can see when your query has errors Commented Aug 3, 2017 at 13:02
  • An aside, use the password API and stop using plain test passwords. Commented Aug 3, 2017 at 13:04
  • try using checking isset method for both in diff case. if(isset($_POST['email']) && isset($_POST['password'])) Not sure though. Commented Aug 3, 2017 at 13:11
  • thanks gonna try your suggestions @Saty and give feedbacks Commented Aug 3, 2017 at 13:56

3 Answers 3

Reset to default
3

First of all, I would never use GET to commit a password for security reason. To check, if a password is correct, I would suggest to use the php function password_hash() and password_verify() to store the passwords not in plain text.

But to answer your origin question: To see the errors of your query, simply remove the "@" sign in front of your query. I would also add a space before the "LIMIT" statement.

If it still doesn't work correctly, try to get the mysqli error and post it.

Good luck :)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

just hearing about those functions for the firsty, password_hash()and password_verify(), will sure look up on them, thanks for your suggestions @MarvinX
thanks a million, it finally worked with your suggestions, i'm quite new to all these but gonna give password security and try @MarvinX
1

you only check email but you also check your password field

if email is correct so user will login with wrong password

try this query

$q = "SELECT email, pass FROM users WHERE email = '$email' and password = '$password' LIMIT 1";

and space between $email and LIMIT

or

remove @ from mysqli_query so its give error for better understaning

Improve this answer

1 Comment

thanks for the headsup about the password check, gonna add that, the script finally worked with the suggestions to limit and @
0

You didn't show the HTML, but I will try to answer with what you gave me.

  1. Add a space between '$email' and LIMIT

  2. Make sure you have data in the database.

  3. Double check the HTML where you set the name attribute in the form and be sure it matches the $_GET[] name.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.