0

I'm trying to do a simple login, which compares the input of the ID and password by the user with the data in the database

//getting the inputs
$checkid = $_POST["id"];

$checkpassword = md5($_POST["pass"]);

//getting the id and password of the id and password of the inputs
$query = "SELECT id, password FROM login WHERE id=$checkid AND password=$checkpassword";

$res = mysqli_query($link, $query);

$nres = mysqli_num_rows($res);

//$nres should be 0 if the user inputs the right id but the wrong password
//or viceversa, the only way that it $nres!=0 is that both inputs match the db, right?
if ($nres == 0) {
    header('Location: http://localhost:8888/login/login_fail.php');
    else
    header('Location: http://localhost:8888/profile/profile.php');
    exit();

it doesn't work, even if i put the right ID and the password that are on the database it will redirect to login_fail.php. Note: it does work if i do it just with he ID and take out of the query " ,password" "AND password = $checkpassword". Help

LuisEgan
  • 952
  • 2
  • 13
  • 28
  • 2
    Add quotes `"SELECT id, password FROM login WHERE id='$checkid' AND password='$checkpassword'"` and a sidenote: don't use `md5`, it's now insecure to use as password storage. – Funk Forty Niner Feb 28 '14 at 03:24
  • 1
    +1 and also note you are wide open to SQL injection attacks by not doing any processing on your POST variables. – JBES Feb 28 '14 at 03:32
  • You could also fix up your conditional statements' bracing. `if{...} else{...}` – Funk Forty Niner Feb 28 '14 at 03:34
  • Never use mysqli thing. But, i think this one will help you to check the error.. if (!mysqli_query($link, $query)) printf("Error: %s\n", mysqli_error($link)); – Suresh Feb 28 '14 at 03:37
  • hey @Fred-ii- thanks again man! What would you recommend to use as password storage? – LuisEgan Feb 28 '14 at 03:39
  • and @JBES how do I do the processing on my POST variables? Thanks both! I'm still learning, forgive my noobness. :) – LuisEgan Feb 28 '14 at 03:40
  • some docs: [mysqli_real_escape_string](http://ca1.php.net/fr/mysqli_real_escape_string) and [Safe Password Hashing](http://www.php.net/manual/en/faq.passwords.php) – MamaWalter Feb 28 '14 at 03:40
  • You're welcome. Either [`bcrypt`](http://stackoverflow.com/q/4795385/) or PHP's [`password()`](http://www.php.net/manual/en/faq.passwords.php) function. And [`see this article also`](https://crackstation.net/hashing-security.htm) and did my suggestion work? @LuisEgan – Funk Forty Niner Feb 28 '14 at 03:42
  • @MamaWalter has you started on that with mysqli_real_escape_string - `$checkid=mysqli_real_escape_string($link,$_POST['id']);` – JBES Feb 28 '14 at 03:50
  • @Fred-ii- ok I'll use one of those! Yes, thanks man! – LuisEgan Feb 28 '14 at 04:23
  • Ok and you're welcome. Did you want me to make my comment an answer so we can close the question? @LuisEgan – Funk Forty Niner Feb 28 '14 at 04:24
  • It's posted below @LuisEgan – Funk Forty Niner Feb 28 '14 at 04:29

2 Answers2

2

Add quotes to your variables:

"SELECT id, password FROM login WHERE id='$checkid' AND password='$checkpassword'"
                                         ^        ^              ^              ^

Sidenote: Don't use md5, it's now insecure to use as password storage.

For password storage, either use bcrypt or PHP's password() function.

And see this article also

Also noted in comments by others, use mysqli_real_escape_string():

$checkid=mysqli_real_escape_string($link,$_POST['id']);
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

Try the query: 

$query = "SELECT id, password FROM login WHERE id='".$checkid."' AND password='".$checkpassword."'";
Vikas Umrao
  • 2,800
  • 1
  • 15
  • 23