0

Registered user say with such data login = test, password = 12345 and I try to make an input manually. I am writing a link example.com/login.php?username=test&password=12345 and by code it prints Invalid. Although checked in the database user this is there, all the data is correctly entered, but does not see it. I tried to create another, but the result is the same. Here is my code, then what is commented on, tried the first time to get the answer, the result is the same. Errors do not display.

<?php
error_reporting(E_ALL);
require_once ("connect.php");

$login = mysqli_real_escape_string($conn,$_GET['username']);
$password = mysqli_real_escape_string($conn,$_GET['password']);
$password = md5($password);

$sql = mysqli_query($conn, "SELECT * FROM login WHERE username = '$login' AND password = '$password'");

//if($sql){
//    $dados = mysqli_num_rows($sql);
//    echo "$dados";
//    if($dados > 0){
//        echo 'Success';
//    }else{
//        echo 'Invalid';
//    }
//}

$id_user = mysqli_fetch_array($sql);
if (empty($id_user['id'])){
    echo 'Invalid';
}
else {
    echo 'Success';
}

mysqli_close($conn);
?>
M Y
  • 1,831
  • 4
  • 24
  • 52
Сергей Худык
  • 11
  • 1
    [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO` – GrumpyCrouton Jan 11 '18 at 19:56
  • 2
    **You shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)**. Please use **PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)** (`password_hash()` and `password_verify()`) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). **It is not necessary** to [escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. – GrumpyCrouton Jan 11 '18 at 19:56
  • Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Jan 11 '18 at 20:28
  • Do you store in database passwords in md5 ? Try output your SQL query and check password hash with password value in database – newman Jan 11 '18 at 22:24

0 Answers0