0

I got a final project for my exam . I have to make a registration form and log in form , and then using php send tha data from registration to the database , and use it in logging . I've already done my registration , and it succesfully sends data to database . But i got a problem in login . It works if i send new data to database and write it down in input , but if i try to write old data it doesn't work , why ?

 <?php
        $link = mysqli_connect("localhost","root","root","test");
        if(isset($_POST['logg'])){
            $login = $_POST['login'];
            $pasw = $_POST['password'];
            if(empty($_POST['login'])||empty($_POST['password'])){
                echo '<script language="javascript">';
                echo 'alert("Lracnel dashty")';
                echo '</script>';
            }
            else {
                $sql = "SELECT  `login` ,  `password` 
                FROM  `contact_form` ";

                $result = mysqli_query($link,$sql);
                while ($lol = mysqli_fetch_assoc($result)) {
                    if($login==$lol['login']){
                        if($pasw==$lol['password']){
                            echo 'Welcome '.$lol['login'];

                        }
                        else{
                            echo 'Wrong password';

                        }
                    }
                    else{
                        echo 'Wrong login';
                        break;
                    }
                }
            }

        }
    ?>
Tiko
  • 1,241
  • 11
  • 19
  • 1
    To start with you should be using a WHERE clause in your SELECT to just pick out the person your looking for, secondly you should be using [`password_hash()`](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) to improve the password process. – Nigel Ren Oct 26 '18 at 16:51
  • How can i do it ? Plz couldya write it in code ? – Tiko Oct 26 '18 at 16:54
  • Please help . I really need help – Tiko Oct 26 '18 at 17:03
  • SELECT login, password FROM `contact_form` WHERE login = `$login` AND password = `$password` – Mustafa Oct 26 '18 at 17:06
  • Writing a login system is a huge responsibility, people are trusting you to protect their data and passwords. Using variables like `$lol` does not instil confidence. – tadman Oct 26 '18 at 17:47

2 Answers2

2

I suggest you to use PDO to query the database, I've modified your code to add a WHERE clause and to use the password_verify() php function, this mean that you will hash your password before saving it into the database, you also need to sanitize your inputs before query the db.

<?php
        $link = mysqli_connect("localhost","root","root","test");
        if(isset($_POST['logg'])){
            $login = $_POST['login'];
            $pasw = $_POST['password'];
            if(empty($_POST['login'])||empty($_POST['password'])){
                echo '<script language="javascript">';
                echo 'alert("Lracnel dashty")';
                echo '</script>';
            }
            else {
                // Don't forget to sanitize your input before the query
                $sql = "SELECT  login, password 
                FROM contact_form WHERE login = $login ";

                $result = mysqli_query($link,$sql);
                while ($lol = mysqli_fetch_assoc($result)) {
                    if($login==$lol['login']){
                        if(password_verify($pasw, $lol['password'])){
                            echo 'Welcome '.$lol['login'];

                        }
                        else{
                            echo 'Wrong password';

                        }
                    }
                    else{
                        echo 'Wrong login';
                        break;
                    }
                }
            }

        }
    ?>
  • 2
    Fixes the password encoding problem, side-steps the issue of not using placeholder values and `bind_param`. – tadman Oct 26 '18 at 17:41
  • 1
    @tadman I use only `PDO` for my projects and it's a bit different from `mysqli_` on the `bind_param` part of the code, this is why I've preferred to avoid including this modify inside the answer. –  Oct 26 '18 at 18:38
1

This worked fine for me. Make sure that all of your ifs are true.

$link = mysqli_connect("localhost","root","root","test");

if(isset($_POST['logg'])){
    $login = $_POST['login'];
    $pasw = $_POST['password'];
    if(empty($login)||empty($pasw)){
        echo '<script language="javascript">';
        echo 'alert("Lracnel dashty")';
        echo '</script>';
    }
    else {
        $sql = "SELECT  `login` ,  `password` FROM  `contact_form` WHERE login = '$login' AND password = '$pasw'";
        $result = mysqli_query($link,$sql);
        while ($lol = mysqli_fetch_assoc($result)) {
            if($login==$lol['login']){
                if($pasw==$lol['password']){
                    echo 'Welcome '.$lol['login'];
                }
                else{
                    echo 'Wrong password';
                }
            }
            else{
                echo 'Wrong login';
                break;
            }
        }
    }
}
Mustafa
  • 152
  • 2
  • 15
  • It works , but doesn't write wrong login , but i'll fix it myself – Tiko Oct 26 '18 at 17:18
  • @Tiko yeah I change little bit of the code because I was testing things on my computer. Good luck with your assignment! – Mustafa Oct 26 '18 at 17:26