-2

I've got the following code but i can't get the user to log into their account, in the database the length of the password its stored as is 35. I have var_dump the password variable to see what is inserted into it and its the same value as the password stored in the database. Any help, appreciate it 

<?php   
    include_once("config.php");
    session_start(); 
    $message = "";

    if (isset($_POST['username'])) {    
        $username = ($_POST['username']);
        $password =md5($_POST['password']);
        $password = ($password); 

        $sql = "SELECT * FROM user WHERE username = '$username' && password='$password'";
        $query = mysqli_query($conn, $sql);
        $row = mysqli_fetch_row($query);
        $userid = $row[0];
        $checkuser = $row[5];
        $checkpassword = $row[4];
        $type = $row[1];
        $name = $row[2];
        $surname = $row[3];

        if ($username != $checkuser || $password != $checkpassword) {
          $message = " username or password entered is incorrect.";
        }

        if ($username == $checkuser && $password == $checkpassword) {
            $_SESSION['username'] = $username;
            $_SESSION['type'] =$type;
            $_SESSION['name'] = $name;
            $_SESSION['surname'] = $surname;
            $_SESSION['userid'] =  $userid; 

           if($_SESSION['type'] == "admin") {
              header("Location: adminindex.php");
           } else {
              header("Location: index.php");
           }

        }   
    }
?>
WillardSolutions
  • 2,316
  • 4
  • 28
  • 38
Jurgen
  • 7
  • 3
  • 1
    Why are you comparing the values so many times? Which comparison is the one that's failing? – David Apr 26 '16 at 14:10
  • 3
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 26 '16 at 14:13
  • 1
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 26 '16 at 14:13
  • 2
    You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure). – Jay Blanchard Apr 26 '16 at 14:13
  • 1
    You need to debug your logic. There are too many points where your if statements could evaluate in a way you don't expect. – WillardSolutions Apr 26 '16 at 14:16
  • The HTML form is unknown. – Funk Forty Niner Apr 26 '16 at 14:46
  • 1
    *"the length of the password its stored as is 35"* - Ok, but that doesn't tell us what the password column's length is; so, what is it? and what's the username's value? You need to interact here. – Funk Forty Niner Apr 26 '16 at 14:49
  • Ok, !&@*$ this, voting to close. This is all but guesswork. – Funk Forty Niner Apr 26 '16 at 14:54
  • nothing* but guesswork, technically – I wrestled a bear once. Apr 26 '16 at 14:59

1 Answers1

1

There may or may not be an issue with the fact that you're not using prepared statements, but you're definitely leaving yourself open to SQL injection.

Prepared statement example:

$stmt = $conn->prepare("SELECT * FROM user WHERE username =? AND password=?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();

See: http://php.net/manual/en/mysqli.prepare.php

I wrestled a bear once.
  • 22,983
  • 19
  • 69
  • 116