0

I am trying to secure my login page with the prepared statement. The password is hashed, I tried also put it in the prepared statement, but it won't work.

I'm not sure that following code is secure enough.

<?php require 'Connections/localhost.php'; ?>

<?php
if(isset($_POST['LogIn'])) {

    session_start();

    $EM = $_POST['E-mail'];
    $PW = $_POST['Wacht-Woord'];

    $sql = "select Password, UserID, UserLevel from user where Email=?";

    $stmt = $con->prepare($sql);

    $stmt->bind_param("s", $EM);

    $stmt->execute();

    $stmt->bind_result($Password, $UID, $UL);

    while ($stmt->fetch())
    {
        if(password_verify($PW, $Password))
        {
            session_start();

            $_SESSION["UserID"] = $UID; 

            if($UL=="1")
            {
                header('Location: Account.php');
            }
            else if ($UL=="2")
            {
                header('Location: CRUD/indexAdmin.php');
            }
        }
        else
        {
            $_SESSION["LogInFail"] = "Yes";
        }
    }

}

?>
Benny
  • 67
  • 4
  • Duplicate of http://stackoverflow.com/questions/134099. I suggest you read that as it answers your question. – Peter Gordon Jun 21 '16 at 18:32
  • 2
    Possible duplicate of [Are PDO prepared statements sufficient to prevent SQL injection?](http://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection) – Peter Gordon Jun 21 '16 at 18:32
  • Your title is asking if it's secure enough - yes, prepared statements are secure enough to combat SQL injection. The body of your question asks that it doesn't work - then you need to do some troubleshooting and find the relevant error-messages. Or at least, tell us what is working and what isn't, because "*but it won't work*" is very vague. Enable [`error_reporting(E_ALL);`](http://php.net/manual/en/function.error-reporting.php) [`ini_set('display_errors', 1);`](http://php.net/manual/en/function.ini-set.php) and look for [`mysqli_stmt_error`](http://php.net/manual/en/mysqli-stmt.error.php) – Qirel Jun 21 '16 at 18:33
  • Also, there's no need for multiple `session_start();` calls. Place it so it's started regardless (like the first thing after ` – Qirel Jun 21 '16 at 18:34
  • Since you're doing the test in a loop, one row may have a matching password, but another row could have a non-matching password. Also, if there's only a non-matching row, you'll assign to the session variable but never call `session_start()`. @Qirel's suggestion will fix that. – Barmar Jun 21 '16 at 18:49

0 Answers0