checking information from Database

Question

I'm Trying To Let users Login

on control page:

<?php include"files/header.php";?>
<?php
global $tf_handle;
$u_name  = strip_tags($_POST['u_name']);    
$u_pass  = md5($_POST['u_pass']);       
if(isset($_POST['login']))
{
    if(empty($u_name) or empty($u_pass))
    {
        echo"
            <div class='error'>Fill the The Form PLease</div><br />
            ";      
    }
    else
    {
        $sqlquery = mysqli_query($tf_handle,"SELECT * FROM user WHERE u_name = '".$u_name."' AND u_pass = '".$u_pass."'");
        if(mysqli_num_rows($sqlquery) > 0)
        {
            $fetchLquery = mysqli_fetch_object($sqlquery);
            print_r($fetchLquery);
            $uid = $fetchLquery->u_id;
            $uname = $fetchLquery->u_name;
            echo "$uname";
            $upass = $fetchLquery->u_pass;
            if($uname != $u_name )
            {
                //AND $upass != $u_pass
                echo"
                <div class='error'>wrong name</div><br />
                ";  
            }
            else
            {
                setcookie("uid",$uid,time()+60*60*24);
                setcookie("login",1,time()+60*60*24);
                echo"
                <div class='error'>Done !</div><br />
                ";
                header('Refresh: 3;url=index.php'); 
            }
        }
        else
        {
            echo"
                <div class='error'>Wrong information</div><br />
                ";              
        }
    }
}
?>  
            <div class="rightco">
            <div class="B_t_in">    
                    <div class="title_b">
                        <h3>Pen Testing</h3>
                    </div>  
                    <div class="info">
                        By : ~Hacker~
                        Date :30/5/2015  
                    </div>
            </div>  


                <table class="tb" width="100%" border="0" >
                    <tr>
                        <td width="20%"><div class="pic"><img src="http://3.bp.blogspot.com/-xUY6gP4Uhgw/U7ADSxKjwBI/AAAAAAAABM8/uVAbk_D06Wg/s1600/php-framework1+copy.png" alt="" /></div> </td>
                        <td width="80%">
                            <p>
                                Test Test Test Test Test Test Test Test TestTest Test Test Test Test Test Test Test Tes
                                Test Test Test Test Test Test Test Test Test
                            </p>
                        </td>
                    </tr>   
                </table>

                <div class="more"><a href="#">Read More !</a></div>

            </div>
<?php include"files/block.php";?>
<?php include"files/footer.php";?>

The Result is

Wrong Name

& i tried to echo the Variables to check it

$fetchLquery  = stdClass Object ( [u_id] => 3 [u_name] => memo [u_pass] => 202cb962ac59075b964b07152d234b70 [u_email] => jankeh@yahoo.com [u_ulv] => 1 )

$uname = 'memo'

This condition if($uname != $u_name ) shouldn't be executed

i don't know what's the reason of this problem !

i should check another thing ?

Why shouldn't `if($uname != $u_name )` be executed? or Do you mean it shouldn't be true? — chris85, Sep 08 '15 at 19:23
I'm on to another thread, you are open to SQL injections with your current code. Also login credentials shouldn't be client side, use `$_SESSION`. — chris85, Sep 08 '15 at 19:31
i mean $uname already = $u_name so the condition shouldn't be executed and else condition should execute — smile, Sep 08 '15 at 19:34
i use session but this time i'm trying to do like tutorial and in the online tutorial instructor used set cookies — smile, Sep 08 '15 at 19:36
var_dump the two values. Are they actually the same? With cookie approach any user can make a cookie named login with the value of `1` and BAM access. Also if they are able to obtain another user's ID they can become that user. — chris85, Sep 08 '15 at 19:38
it will be fixed in the rest of the tutorial my problem is why the condition works and it's something like 1 != 1 -_- — smile, Sep 08 '15 at 19:44
Please update your question I can't tell exactly what that is....wasn't there just code in your comment? Without outputting the actual results of the variables it is hard to say what is happening.. — chris85, Sep 08 '15 at 19:47
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/89099/discussion-between-smile-and-chris85). — smile, Sep 08 '15 at 19:49
I suspect you have case-insensitive collation on the table. So MySQL is comparing case-insensitively, but PHP is case-sensitive. — Barmar, Sep 08 '15 at 19:50
This was resolved in a chat. The issue was the username in DB had a space and PHP didn't. — chris85, Sep 08 '15 at 20:14
You really shouldn't use MD5 password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Sep 08 '15 at 20:27
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Sep 08 '15 at 20:27

score 0 · Answer 1 · answered Sep 08 '15 at 19:26

0

You don't need to be checking if the names match anyway.

Why?

Your query will only return data if the username and password match those that you have put into the query. You're doing the same thing twice - once in SQL and again in PHP!

You just need to check if anything has been returned from the query. If it has, you know it's a match! :)

answered Sep 08 '15 at 19:26

mfisher91

805
1
8
23

1

True, but aside from being redundant there's nothing wrong with it. Code should still work. Current issue why is SQL seeing the usernames as the same and PHP as different? – chris85 Sep 08 '15 at 19:28
1

As I typed the answer I was thinking to myself 'Should I say this? It isn't strictly answering what the user wants'. Just trying to make smile's life easier! – mfisher91 Sep 08 '15 at 19:30
mfisher i notices that but that problem like what chris85 said – smile Sep 08 '15 at 19:32
i changed that condition to if(1 != 2 ) { //AND $upass != $u_pass echo"
wrong name

"; } and it executes too !!! that made me crazy – smile Sep 08 '15 at 19:34
1

@smile 1 is not equal to 2, so that **should** execute. – Barmar Sep 08 '15 at 19:49
yes yes i typed it wrong i didn't mean that the error was because of whitespace chri85 really helped me – smile Sep 08 '15 at 20:25

checking information from Database

1 Answers1