0

I am testing a login code and i ran into a problem where the information collected from a MySQL database can not be found even though the information exists inside the table, the code below says that there is 0 rows with the information i am trying to pull out, therefore it fails to execute it's primary function and always ends up executing the else solution

I have been googling around and tried different combinations and ways the code can be written as it is '".$username."' instead of '$username' but nothing seems to be working except in case where equal it to zero but that way it looses it's purpose and executes the primary function no matter what

<?php
$mysqli = new mysqli('localhost','root','password','accounts');

if (isset($_POST['login'])){
    $username = $_POST['username'];
    $password = $_POST['password'];

    $sql = "SELECT * FROM users WHERE username = '$username' AND pass = '$password' ";

    $result = mysqli_query($mysqli,$sql);

    if (mysqli_num_rows($result)>0){
        echo "Login Success!";
        exit();
    }
    else{
        echo "Login Failed";
        exit();
    }
}
?>

I expected to solve this problem on my own but i got totally confused and don't even know what i have tried so far and what else is there to be tried

Note: My password is md5 protected

  • 1
    The code you wrote depends on values of `$username` and `$password`. Try to run it with `$password = "' or 1=1 or ''='`, that should force it to return everything your table has. – che Dec 26 '18 at 18:04
  • Check the data that's actually in your table. You're checking for a plaintext password. Is that how it's stored? (Bad idea, it should be encrypted, preferrably with `password_hash()`. If it's encrypted, then you'll need to encrypt the password before you pass it into the query to check. – aynber Dec 26 '18 at 18:20
  • yes my password is md5 protected i forgot to mention that (I'll edit it right away), does that has anything to do with this? –  Dec 26 '18 at 18:32
  • In that case, you want your input to be converted to md5 first. You then compare this md5 hashed version of the password with the one stored in your database... `$password = md5($_POST['password']);` – Captain Red Dec 26 '18 at 18:35
  • Note that MD5 is considered broken for security purposes and is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. – Alex Howansky Dec 26 '18 at 18:39
  • Also, please read about [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection). Instead of building queries with string concatenation, use [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). See [**this page**](https://phptherightway.com/#databases) and [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for some good examples. – Alex Howansky Dec 26 '18 at 18:39
  • While that worked to get your code to work, it is not a good practice security wise. Please refer to links posted by @AlexHowansky to learn more about SQL injection and prepared statements to better protect your db query – Captain Red Dec 26 '18 at 18:50

0 Answers0