Logging in without using password and username

Question

I am able to login to my user page and admin page without giving password and username. when usertype is selected and click on login both are getting loggedin. here is my login.php code

<?php
$servername="SERVER";
$username="USER";
$password="PWD";
$dbname="DB";
$conn = mysqli_connect($servername, $username, $password, $dbname);
echo("conneciton");
if(isset($_POST['Login'])){
$user=$_POST['user'];
$pass = $_POST['pass'];
$usertype=$_POST['usertype'];
$query = "SELECT * FROM multiuserlogin WHERE username='".$user."' and password = '".$pass."' and usertype='".$usertype."'";
$result = mysqli_query($conn, $query);
if($result){
while($row=mysqli_fetch_array($result)){
echo'<script type="text/javascript">alert("you are login successfully and you are logined as ' .$row['usertype'].'")</script>';

}
if($usertype=="admin"){
?>
<script type="text/javascript">
window.location.href="index.php"</script>
<?php

}else{
?>
<script type="text/javascript">
window.location.href="user.php"</script>
<?php

}
}else{
echo 'no result';
}
}

?>


<html>

<head>
<!-- title and meta -->
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>admin</title>
   <!-- /title and meta -->
   <script src="js/jquery.js"></script>
    <!-- Bootstrap -->
    <link href="css/bootstrap.min.css" rel="stylesheet">
    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->

    <!-- Include all compiled plugins (below), or include individual files as needed -->
    <script src="js/bootstrap.min.js"></script>
     <link href="css/adminindex.css" rel="stylesheet"> 
</head>
<body class='bg-image'>
    <center><div class="col-md-4 col-sm-4 col-xs-10 formclass">
<form action="" method="post" name="Login_Form">
 <table>
<tr>
      <td colspan="2" align="left" valign="top"><h3>Login</h3></td>
    </tr>
    <tr>
<td  valign="top">Username:</td><td><input type="text" name="user" placeholder="enter your username"
 </td>
</tr>
<tr>
<td >Password:</td><td><input type="text" name="pass" placeholder="enter your password"</td>
</tr>
<tr>
<td>
Select user type:</td><td> <select name="usertype">

<option value="admin">admin</option>
<option value="user">user</option>
</select>
</td>
</tr>
<tr>
<td><input type="submit" name="Login" value="Login"></td>
</tr>
</table>
       </form>   </div>

 </center>
</body>
</html>

my database table name is multiuserlogin and column are username password usertype Please help me on this, i need to verify my username password and then only able to login

Check in your table there having some blank username/password data. Also check result count with ```mysqli_num_rows()```. and please perform validation before submit — Praveen Gehlot, Feb 14 '20 at 07:59
Make sure you have valid code, an IDE might help you. Currently your ``. And please read [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) — brombeer, Feb 14 '20 at 08:14
**Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Feb 29 '20 at 15:53
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, Feb 29 '20 at 15:53

Robin Gillitzer · Accepted Answer · 2020-02-14T08:47:10.913

0

Your if statement

if($result){

is always true, because it contains the query not the results. So you are logged in as the usertype you have selected.

Adjust the db information and try this out:

$conn = new mysqli("SERVER", "USER", "PWD", "DB");

if (!$conn->connect_error) {
  echo("connected");

  if(isset($_POST['Login'])){
    $user = $_POST['user'];
    $pass = $_POST['pass'];

    $query = "SELECT * FROM multiuserlogin WHERE username='".$user."' and password = '".$pass."' LIMIT 1";
    $result = $conn->query($query);
    $logged_user = $result->fetch_array(MYSQLI_ASSOC);
    $conn->close();

    if(is_array($logged_user) && $logged_user['username'] == $user)  {
      echo '<script type="text/javascript">alert("you are login successfully and you are logined as ' . $logged_user['usertype'] .'")</script>';
      if($logged_user['usertype'] == "admin"){
        echo '<script type="text/javascript">window.location.href="index.php"</script>';
      } else {
        echo '<script type="text/javascript">window.location.href="user.php"</script>';
      }
    } else {
    echo 'no result';
    }
  }
}

Dont forget to validate for preventing SQL injections.

edited Feb 14 '20 at 08:47

answered Feb 14 '20 at 08:08

Robin Gillitzer

1,603
1
6
17

1

Why should OP try this out? What was wrong? What did you change? – brombeer Feb 14 '20 at 08:12
Its working but both user and admin is going to index.php – arishma Feb 14 '20 at 08:35
What is the content of the alert if you are logged in as user? – Robin Gillitzer Feb 14 '20 at 08:47
The content i am getting is 'you are login successfully and you are logined as admin' – user94 Feb 14 '20 at 08:51
Content that i am also getting is "you are login successfully and you are logined as admin" – arishma Feb 14 '20 at 08:53
Please add print_r($logged_user); above $conn->close(); and show your output. Have you checked the database? No duplicate entries for one user? – Robin Gillitzer Feb 14 '20 at 08:57
**Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Feb 29 '20 at 15:53
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Feb 29 '20 at 15:53

Logging in without using password and username

1 Answers1