0

I have a login form. I have in my table of the database two records: admin and user. If you login if admin you must go to admin_area.php. this is not working, he always log in if user. If you login if user this works. The first part of the script is not working and don't run.

Can someone help me? thanks in advance.

<?php
//first part: this is not working
session_start();
//if (isset($_POST['submit'])) {
$a_username = $_POST ['username'];
$a_password = md5( $_POST ['password']);

if($a_username == "admin" && $a_password=="intel")
{
    include 'connect.php';
    $sqli = "SELECT * FROM users WHERE username='$a_username' AND password='$a_password' ";

    $numrows = mysqli_query($link, $sqli)    or    die(mysqli_error());

        $username = 'username';
        $password = 'password';

        //Add some stripslashes
        $username = stripslashes($username);
        $password = stripslashes($password);

        //Check if username and password is good, if it is it will start session
        if ($username == $a_username && $password == $a_password)
        {

            $_SESSION['username'] = 'true';
            $_SESSION['username'] = $username;

            //Redirect to admin page
            header("Location: admin_area.php");exit();
        }

}

//second part: this works
$username = $_POST ['username'];
$password = md5( $_POST ['password']);

if($username&&$password)
{
include 'connect.php';

$query = "SELECT * FROM users WHERE username='$username' AND password='$password' ";

$numrows = mysqli_query($link, $query)    or    die(mysqli_error());

if ($numrows != 0)
{
    /
    while ($row = mysqli_fetch_assoc ($numrows))
    {
        $dbusername  = $row['username'];
        $dbpassword  = $row['password'];
    }

        if ($username==$dbusername&&$password==$dbpassword)
        {
            echo "you are log in <a href='user.php'>click here for contine</a>, after 4 seconds"; header('Refresh: 4;url=user.php'); 
            $_SESSION ['username'] = $username;
        }
        else
         echo "<h3>incorrect password,  <a href='index.php'>click here</a></h3>";

}
else 
    die ("text");



}

else 
    die ("text");
//}
?>
wesley3
  • 11
  • 1
  • 1
    Don't use MD5 for password hashing. [It's insecure](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure). Consider `password_hash` instead – Machavity Jan 13 '16 at 18:46
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jan 13 '16 at 18:47
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 13 '16 at 18:47
  • *I fear we're wasting our breaths/words here gentlemen..., and possibly "ladies".* – Funk Forty Niner Jan 13 '16 at 18:47

1 Answers1

1
$a_password = md5( $_POST ['password']);

if($a_username == "admin" && $a_password=="intel")

This condition is not valid, because 

$a_password = md5( $_POST ['password'])

is first converted to md5 format and then checked $a_password=="intel" $a_password is now in md5 format and intel is normal string. For this first try to match normal $a_password like 

$a_password = $_POST ['password']

and write your variable into your condition as like 

$a_password = md5( $_POST ['password'])
Machavity
  • 30,841
  • 27
  • 92
  • 100
Jakir Hossain
  • 2,457
  • 18
  • 23