0

I am creating a log in system using a mysql database.

I have two tables in the database called student and discipline. I want users to log in using two different things from different tables. I want them to log in using their student ID, which is in the student table, and their discipline name, which is in the discipline table. student and discipline are both separate tables. I have created an inner join with the tables, and the query works in phpmyadmin. However, I cannot log in when i run the application. When i press the log in button, nothing seems to happen....

Below is my code:

// LOGIN USER
if (isset($_POST['login'])) {
    $name = mysqli_real_escape_string($db, $_POST['name']);
    $studentid = mysqli_real_escape_string($db, $_POST['studentid']);

}

    if (count($errors) == 0) {
        $name = md5($name);
        $query = "SELECT discipline.name, student.studentid 
        FROM discipline
        INNER JOIN student ON discipline.disciplineid = student.disciplineid WHERE discipline.name='$name' AND student.studentid='$studentid'";


        //$query = "SELECT * FROM discipline WHERE name='$name' AND studentid='$studentid'";

        $result = mysqli_query($db, $query);
    }
        if (mysqli_num_rows($result) == 1) {
            $_SESSION['name'] = $name;
            header('location: Assessment.php');
        }else {
            array_push($errors, "Wrong username/password combination");

        }


//logout
if (isset($_GET['logout'])) {
    session_destroy();
    unset($_SESSION['disciplineid']);
    header('location: index.php');
}
?>

Form HTML:

<div class="form">
    <ul class="row justify-content-center">
        <form method="post" action="index.php">
            <p> <label>Your ID </label> <input type="text" id="studentid" name="studentid" required /> </p>
            <p> <label>name of discipline:</label> <input type="text" id="name" name="name"required /> </p>
            <p> <button type="submit" class="btn" name="login">Login</button> </p>
        </form>

Any help would be appreciated. Thanks

IncredibleHat
  • 4,000
  • 4
  • 15
  • 27
nad
  • 17
  • 4
  • 1
    Don't rely on the `real_escape_string()` functions to prevent SQL injection, [they alone are not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) driver. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Jan 09 '18 at 15:54
  • We need the code of the html form. No doubt theres something wrong with how you are submitting, or how the form is made. – IncredibleHat Jan 09 '18 at 15:54
  • 1
    "*I am creating a log in system using a mysql database.*" ... There are many libraries you can utilize which handle a lot of security concerns and issues already for you. Writing your own is a very involved process that takes a lot of planning and execution. – IncredibleHat Jan 09 '18 at 15:54
  • 2
    MD5 is considered broken for security purposes and is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. If you're using a version of PHP prior to 5.5, you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). – Alex Howansky Jan 09 '18 at 15:54

    – nad Jan 09 '18 at 16:04
  • My code for the form is above – nad Jan 09 '18 at 16:04
  • `` will submit the form, but it does not submit `login` with a value (most browsers, its inconsistent and unreliable). Its better to use a hidden input with what to check on ``, and then `if(isset($_POST['logging_in']))` will fire off in php ok on submit. – IncredibleHat Jan 09 '18 at 16:18
  • I have tried that code but its still the same..... – nad Jan 09 '18 at 16:25
  • Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Jan 09 '18 at 17:14
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords with a weak, high-speed hash like SHA1 or MD5**. – tadman Jan 09 '18 at 17:14

0 Answers0