I'm super confused, my code outputs this:
posted login: login
posted password: pass
database login: login
database pass: pass
database id: 1
database user: IDKMyName
database creator: True
database admin: True
database master: True
failed
Main part is the last line "failed", it should say logged in go. The posted user and database user is the same and posted pass is same so idk.
ps. the echos are just there for debugging not going to be in final code.
<?php
session_start();
$db_login = "";
$db_pass = "";
$db_id = "";
$db_user = "";
$db_creator = "";
$db_admin = "";
$db_master = "";
$servername = "localhost";
$username = "root";
$password = "";
$database = "main_db";
// Create connection
$conn = new mysqli($servername, $username, $password, $database);
$submitlogin = $_POST['user'];
$submitpass = $_POST['password'];
$query = $conn->query("SELECT * FROM main_table WHERE login = '$submitlogin' && pass = '$submitpass'", MYSQLI_USE_RESULT);
if ($query) {
while ($row = $query->fetch_array()) {
$db_login = $row['login'] . PHP_EOL;
$db_pass = $row['pass'] . PHP_EOL;
$db_id = $row['ID'] . PHP_EOL;
$db_user = $row['user'] . PHP_EOL;
$db_creator = $row['creator'] . PHP_EOL;
$db_admin = $row['admin'] . PHP_EOL;
$db_master = $row['master'] . PHP_EOL;
}
}
echo "posted login: " . $submitlogin . "<br>";
echo "posted password: " . $submitpass . "<br>";
echo "database login: " . $db_login . "<br>";
echo "database pass: " . $db_pass . "<br>";
echo "database id: " . $db_id . "<br>";
echo "database user: " . $db_user . "<br>";
echo "database creator: " . $db_creator . "<br>";
echo "database admin: " . $db_admin . "<br>";
echo "database master: " . $db_master . "<br>";
if ($submitlogin != $db_login && $submitpass != $db_pass) {
$_SESSION['ID'] = 'NULL';
$_SESSION['loggedin'] = 'False';
$_SESSION['login'] = '';
$_SESSION['pass'] = '';
$_SESSION['user'] = '';
$_SESSION['creater'] = 'False';
$_SESSION['admin'] = 'False';
$_SESSION['master'] = 'False';
echo"failed";
echo"<a href = '/wip/login/>try again</a>";
}
else {
$_SESSION['login'] = $db_login;
$_SESSION['pass'] = $db_pass;
$_SESSION['id'] = $db_id;
$_SESSION['user'] = $db_user;
$_SESSION['creator'] = $db_creator;
$_SESSION['admin'] = $db_admin;
$_SESSION['master'] = $db_master;
$_SESSION['loggedin'] = 'True';
echo "logged in";
echo "<a href='/wip/>go</a>";
}
mysqli_close($conn);
?>
PDO, which I wrote a function for to make it extremely easy, very clean, and way more secure than using non-parameterized queries.password_hash()andpassword_verify())to handle password security. If you're using a PHP version less than 5.5 you can use thepassword_hash()compatibility pack. It is not necessary to escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.rootdb user