1
if(isset($_POST['login']))
{
    $pass = md5($_POST['password']);
    $ch="SELECT * FROM membership WHERE email='$_POST[email]' AND    password='$pass'";
    $mych=mysqli_query($database,$ch) or die(mysqli_error($database));
    $counter=mysqli_num_rows($mych);
    if($counter>0)
    { 
        $_SESSION['userEmail']=$_POST['email'];
        $_SESSION['start'] = time();

        // Record now logged in time
        $_SESSION['expire'] = $_SESSION['start'] + (5 * 60) ; 

        // ending a session in 5  minutes from the starting time
        header("Location:userDashboard/");  
    }else{
       $qstring = '?status=err';
       $_SESSION['LoginAlert']="User Account Not Exist";
       header("Location:login.php".$qstring);   
    }
}
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Olatunji Abayomi
  • 11
  • 2
  • 5
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Mar 16 '17 at 20:43
  • 6
    `md5()`is obsolete for hashing passwords and should *not be used*. PHP provides [password_hash()](http://php.net/manual/en/function.password-hash.php) and [password_verify()](http://php.net/manual/en/function.password-verify.php), please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet). If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat). – John Conde Mar 16 '17 at 20:43
  • Both of the above taken as gospel, it just remains to be said that in that case you must have made a mistake when you stored the password into the database. – RiggsFolly Mar 16 '17 at 20:58
  • i inserted password in db using this line $_POST['password']=mysqli_real_escape_string($database,md5($_POST['password'])); – Olatunji Abayomi Mar 16 '17 at 21:10

0 Answers0