I have error and I don't know why

Question

Edit: now i have other problem. It is always return me an error. The right error but still it shouldn't. I mean that if I entered email it is writes me "email or password incorrect". If I writing name it's writes "name or password incorrect". Even if I writes the right details.

fixed: I have no idea why, but if I fill both of the fields it writes "success". It doesn't matter what I write in the fields. In the user database I have the id, username, first name, last name, email and password. This Login form should detect what the user entered: email, name or username. If there are more than one user with the same name (first or last) it won't allow him to log in with the name - only with username or password. username can contain only English letters and numbers and _ but not spaces. the first and the last name contains only letters and not spaces. Every update (changing password, username etc...) is saves in the "user" table in different row. The current row (with the newest info) written in the "action" column "current" or "register" (if user hasn't changed the info yet).

<?php
$name = $_POST["email"];
$password = md5($_POST["password"]);
$right = false;

if(filter_var($name, FILTER_VALIDATE_EMAIL))
{//is email
    $query=mysqli_query($mysqli, "SELECT * FROM user WHERE email='".$name."' AND password='".$password."' AND (action='current' OR action='register')");
    if(mysqli_num_rows($query) != 1)
    {
        echo "Email OR password are incorrect.";
    }else{
        $right = true;
        $row = mysqli_fetch_array($query);
        $userid = $row['id'];
    }
}elseif(!empty($name))
{
    $array = explode(' ', $name);
    //detect if needs username of regular login
    if(count($array) == 1) //username
    {
        $query=mysqli_query($mysqli, "SELECT * FROM user WHERE username='".$array[0]."' AND password='".$password."' AND (action='current' OR action='register')");
        if(mysqli_num_rows($query) == 1)
        { //yes
            $right = true;
            $row = mysqli_fetch_array($query);
            $userid = $row['id'];
        }
        else
        { //no
            echo '<b>Username OR password are incorrect.</b> Note that if you tried to log in with your name, you need to enter the first AND last name as you entered them in the registry.';
        }
    }
    elseif(count($array) == 2) //regular
    {
        $query1=mysqli_query($mysqli, "SELECT * FROM user WHERE firstname='".$array[0]."' AND lastname='".$array[1]."' AND (action='current' OR action='register')"); 
        $query2=mysqli_query($mysqli, "SELECT * FROM user WHERE firstname='".$array[1]."' AND lastname='".$array[0]."' AND (action='current' OR action='register')"); 

        if (mysqli_num_rows($query1) == 1 && (mysqli_num_rows($query1) != mysqli_num_rows($query2)))
        { //no need for username
            $query=mysqli_query($mysqli, "SELECT * FROM user WHERE firstname='".$array[0]."' AND lastname='".$array[1]."' AND password='".$password."' AND (action='current' OR action='register')");
            if(mysqli_num_rows($query) == 1)
            {
                $right = true;
                $row = mysqli_fetch_array($query);
                $userid = $row['id'];
            }
        }
        elseif(mysqli_num_rows($query2) == 1 && (mysqli_num_rows($query1) != mysqli_num_rows($query2)))
        {
            $query=mysqli_query($mysqli, "SELECT * FROM user WHERE firstname='".$array[1]."' AND lastname='".$array[0]."' AND password='".$password."' AND (action='current' OR action='register')");
            if(mysqli_num_rows($query) == 1)
            {
                $right = true;
                $row = mysqli_fetch_array($query);
                $userid = $row['id'];
            }
        }
        else
        {
            echo 'Unfortunately you can not log in with your name. Please enter a user name (which you received by email) OR email address in ORDER to connect';
        }
    }
    else //error
    {
        echo 'Error Input Email';
    }
}
else
{
    echo 'Please fill all the fields.';
}

if($right){
    setcookie("userid", $userid, time() + 60 * 60 * 24 * 30, "/");
    setcookie("password", $password, time() + 60 * 60 * 24 * 30, "/");
    echo 'Success!';
}
?>

Thanks

What is the specific error? What did you tried and what doesn't worked? — Maarkoize, Dec 27 '13 at 13:24
Your script is vulnerable to SQL injections; you should read on [how to prevent them](http://stackoverflow.com/q/60174/53114). — Gumbo, Dec 27 '13 at 13:25
@MarcelBalzer No matter what I write in the inputs, if they are not empty I receive "success". — Vlad Gincher, Dec 27 '13 at 13:25
@Gumbo I'll add MYSQLI REAL ESCAPE STRING when the code will work. — Vlad Gincher, Dec 27 '13 at 13:27
Then check at which position right is set to true, for example with a echo "here" at the position before. — Maarkoize, Dec 27 '13 at 13:27
@DarkBee Yes and no. Yes for prepared statements, and no for `mysql_` I believe you meant `mysqli_` ;-) *"Prepared statements > mysql_real_escape_string imho"* — Funk Forty Niner, Dec 27 '13 at 14:06
Sidenote: `md5` passwords are easy for hackers to crack now. Don't use it anymore, it's technology that dates back to 1996, and a lot of water has ran under the bridge since. ;-) @VladGincher — Funk Forty Niner, Dec 27 '13 at 14:08
This is a good start => http://php.net/password and this on SO => http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely — Funk Forty Niner, Dec 27 '13 at 16:10

score 3 · Accepted Answer · edited Dec 27 '13 at 21:47

3

$query=mysqli_query($mysqli, "SELECT * FROM user WHERE username='".$array[0]."' AND password='".$password."' AND (action='current' OR action='register')");
if(mysqli_num_rows($query) == 0) { //yes
    $right = true;
    $row = mysqli_fetch_array($query);
    $userid = $row['id'];
}

Right here, you are saying if there are no records that match the username and password combination, then set $right to true and proceed. I am pretty sure your check should be

if (mysqli_num_rows($query) != 0)

edited Dec 27 '13 at 21:47

Ahmed Siouani

13,701
12
61
72

answered Dec 27 '13 at 13:30

keelerm

2,873
20
12

just spotted this too! – Popnoodles Dec 27 '13 at 13:30
if(mysqli_num_rows($query) == 1) you mean. Yes, it's works but now i have other problem. It is always return me an error. The right error but still it shouldn't. I mean that if I entered email it is writes me "email or password incorrect". If I writing name it's writes "name or password incorrect". Even if I writes the right details. – Vlad Gincher Dec 27 '13 at 13:42
Well, for the email issue, it is probably because you have the same logic error. You are checking if(mysqli_num_rows($query) != 0), meaning you have a match, and then you display an error message. You also have this error when checking in your count($array) == 2 branch (in 2 difference places). – keelerm Dec 27 '13 at 13:47
@keelerm I fixed this error (== 0) in all the places, but it still displayes me the error. – Vlad Gincher Dec 27 '13 at 13:50
Just to verify, you changed != 0 in line 9 to == 0? I would take it one step at a time. First try working out the email logic. Add a few echo statements at various key points and verify the script is following the line of execution you would expect. Also add echos for $name, $password and verify the record in the database matches those values while also checking that the action column is set to 'current' or 'register'. – keelerm Dec 27 '13 at 13:55

I have error and I don't know why

1 Answers1