0

I have a MySql database with the following columns:

enter image description here

and a HTML form like so:

                           <form method="post" action="validate.php">
                               <label for="users_email">Email:</label>
                               <input type="text" id="users_email" name="users_email">
                               <label for="users_pass">Password:</label>
                               <input type="password" id="users_pass" name="users_pass">
                               <input type="submit" value="Submit"/>
                           </form>

Here's snippet of code within the validate.php page:

$email = $_POST['users_email'];
$pass = $_POST['users_pass'];

$dbhost = '************';
$dbuser = '************';
$dbpass = '************';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn)
{
    die('Could not connect: '. mysql_error());
}

mysql_select_db("SafeDropbox", $conn);

$result = mysql_query("SELECT Email, UserPassword FROM tblnewusers WHERE Email = $email");

$row = mysql_fetch_array($result);

if($row['Email'] == $email && $row['UserPassword'] == $pass) {
    echo "Valid";   
}

elseif($row.count() == 0) {
    echo "No Match";
}

else {
    echo "Invalid";
 //header("Location: http://www.google.ie");
    //exit();
}

The problem is I'm getting no match even though the values of $email and $pass are definitely within my database. What am I doing wrong?

Rob Gleeson
  • 315
  • 1
  • 5
  • 17
  • I am not sure if `$row.count()` is valid. What does `var_dump($row)` give you ? – Maximus2012 Jul 13 '15 at 15:31
  • 2
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jul 13 '15 at 15:31
  • 2
    You really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. – Jay Blanchard Jul 13 '15 at 15:31
  • 2
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jul 13 '15 at 15:32
  • Also, your code is open to SQL Injection so you might want to use MySQLi/PDO and prepared statements in place of `mysql_` functions which are deprecated. – Maximus2012 Jul 13 '15 at 15:32
  • The question seems incomplete: you wrote "... with the following columns" but they are not listed. – il_raffa Jul 13 '15 at 15:32
  • You might also want to try `Email = '$email'` in place of `Email = $email` and make sure the values are being passed to validate.php via POST. – Maximus2012 Jul 13 '15 at 15:34

1 Answers1

1

The problem is in:

$result = mysql_query("SELECT Email, UserPassword FROM tblnewusers WHERE Email = $email");

$email should be escaped and surrounded by quotes. The safest solution is to use a prepared statement:

$result = mysql_query("SELECT Email, UserPassword FROM tblnewusers WHERE Email = ?");
$con=new mysqli($dbhost, $dbuser, $dbpass, $yourDatabase);
$stmt = $mysqli->prepare($result);
$stmt->bind("s",$email);
$result=$stmt->execute();

For more details see http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

Norbert
  • 6,026
  • 3
  • 17
  • 40