Nothing Happened when i put right and wrong password

Question

why nothing happened when i put the correct email, but whatevet i put correct or incorrect password the program still not doing anything. It's like the program not checked the password, can you help me ?

This my login.php

    <?php

    if ($_SERVER['REQUEST_METHOD']=='POST') {

        $email = $_POST['email'];
        $password = $_POST['password'];

        require_once 'connect.php';

        $sql = "SELECT * FROM user WHERE email='$email' ";

        $response = mysqli_query($conn, $sql);

        $result = array();
        $result['login'] = array();

        if ( mysqli_num_rows($response) === 1 ) {
            $row = mysqli_fetch_assoc($response);


            if ( password_verify($password, $row['password']) ) { // I Think The Problem At This but i still don't know.
                echo $password;

                $index['name'] = $row['name'];
                $index['email'] = $row['email'];
                $index['id'] = $row['id'];

                array_push($result['login'], $index);

                $result['success'] = "1";
                $result['message'] = "success";
                echo json_encode($result);

                mysqli_close($conn);

            } else {

                $result['success'] = "0";
                $result['message'] = "error";
                echo json_encode($result);

                mysqli_close($conn);

            }

        }

    }

    ?>

This my SignInActivity.java // or at this the problem is ?

public class SignInActivity extends AppCompatActivity {

    private EditText email,password;
    private Button login;
    private TextView link_regist;
    private static String URL_LOGIN = "https://awalspace.com/app/imbalopunyajangandiganggu/login.php";

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_sign_in);

        email = findViewById(R.id.titEmail);
        password = findViewById(R.id.titPassword);
        login = findViewById(R.id.btnSignIn);
        link_regist = findViewById(R.id.tvToSignUp);

        login.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View view) {
                String mEmail = email.getText().toString().trim();
                String mPassword = password.getText().toString().trim();

                if(!mEmail.isEmpty() || !mPassword.isEmpty())
                {
                    login(mEmail,mPassword);
                }
                else{
                    email.setError("Silahkan Masukkan Email");
                    password.setError("Silahkan Masukkan Password");
                }
            }
        });
    }

    private void login(final String email, final String password) {
        StringRequest stringRequest = new StringRequest(Request.Method.POST, URL_LOGIN,
                new Response.Listener<String>() {
                    @Override
                    public void onResponse(String response) {
                        try {
                            JSONObject jsonObject = new JSONObject(response);
                            String success = jsonObject.getString("success");
                            JSONArray jsonArray =jsonObject.getJSONArray("login");

                            if (success.equals("1")){
                                for (int i = 0; i < jsonArray.length(); i++){
                                    JSONObject object = jsonArray.getJSONObject(i);

                                    String name = object.getString("name").trim();
                                    String email = object.getString("email").trim();
                                    Toast.makeText(SignInActivity.this, "Success Login. \n Your Name : "+name+"\nYour Email : "+email,Toast.LENGTH_SHORT).show();
                                }
                            }
                        } catch (JSONException e) {
                            e.printStackTrace();
                            Toast.makeText(SignInActivity.this, "Error "+e.toString(),Toast.LENGTH_SHORT).show();
                        }
                    }
                },
                new Response.ErrorListener() {
                    @Override
                    public void onErrorResponse(VolleyError error) {
                        Toast.makeText(SignInActivity.this, "Error "+error.toString(),Toast.LENGTH_SHORT).show();
                    }
                })
        {
            @Override
            protected Map<String, String> getParams() throws AuthFailureError {
                Map<String, String> params = new HashMap<>();
                params.put("email",email);
                params.put("password",password);
                return params;
            }
        };
        RequestQueue requestQueue = Volley.newRequestQueue(this);
        requestQueue.add(stringRequest);
    }
}

Answer 1

Partial answer:

First off

You are open to SQL injection. You should parameterize your query.

Parameterized queries in PHP with MySQL connection

Second

You can add the password to your query so you don't have to do a 2nd check, if you store the passed password in the DB, or you can hash your password first then use it in your query. That avoids getting more user data than necessary (with the associated possible leaking of data) and avoids needing a second method to find the correct user. This is shown in the link above.

If you store a salt in the DB, I can understand why you need the 2nd method, but you might be able to salt the password in the SQL, via a SQL function. Since you don't include the code for password_verify, we have no way to know what you're actually doing there, so I'm keeping this as basic as I can. (My philosophy is to keep things simple until complications are required.)

Third

Even if you are getting all the columns in that table, specify the column names you need. You might end up adding to that table later, which would cause this query to pull more data than it needs, again.

Fourth

Since you already have the email, which is one of the parameters of the query, you don't need to get it from the DB.

FYI, the link above adds each parameter individually, but mysqli_stmt_bind_param can do them all in one shot.

Object oriented style

mysqli_stmt::bind_param ( string $types , mixed &$var1 [, mixed &$... ] ) : bool

Procedural style

mysqli_stmt_bind_param ( mysqli_stmt $stmt , string $types , mixed &$var1 [, mixed &$... ] ) : bool
...
types

A string that contains one or more characters which specify the types for the corresponding bind variables:
...

https://www.php.net/manual/en/mysqli-stmt.bind-param.php

$stmt = mysqli_prepare($dbc, "SELECT name, id FROM users WHERE email= ? AND password = ?");
mysqli_stmt_bind_param($stmt, "ss", $email, $password); // or use a hash from a method instead of $password
mysqli_stmt_execute($stmt);
$row = mysqli_stmt_fetch($stmt);

This should pull just the one user, unless it doesn't pull any users, so you should have a clear indication of whether this user has access to your site/data/whatever or not. I would suggest sending an actual success message that you can recognize as something a little more specific to you, rather than the generic message you have right now. I understand you're still in testing phase, so it's something to think about later, if you hadn't already.

I would also suggest sending an HTTP 401 message back if $row is null. That way it's 100% guaranteed that your client software understands what happened as well as not giving any specifics as to why it failed. You can still tell the user something more meaningful, such as "Email and Password Combination Not Recognized". Also, don't specify if the email or the password is wrong, since this can lead to easier brute force hacking. There's a lot of contention around this idea of prompts, so I'll let you do your own research and make up your mind about it.

Whether your Java code is correctly sending the login credentials to your PHP server, IDK. I'm rusty on that, so I'll let someone else chime in, and why I'm saying this is a partial answer. At least this answer should get your PHP on the right track.