-1

i have this user sign in script using php prepared statement, but it is not working i have tried to switch values but still not working sometimes i get a "user does not exit" error sometimes just a blank page with the redirected link. 


if(isset($_POST['login'])){

    require 'dbh.php';

    $mail = $_POST['email'];
    $pwd = $_POST['password'];

    if (empty($mail) || empty($pwd)) {
        header("Location: ../login.php?error=empty");
        exit();
    } else {
        $sql = "SELECT * FROM users WHERE id=? OR email=?;";
        $stmt = mysqli_stmt_init($db);
        if (!mysqli_stmt_prepare($stmt, $sql)) {
            header("Location: ../login.php?error=error");
            exit();
        } else {
           mysqli_stmt_bind_param($stmt, "ss", $mail, $pwd);
           mysqli_stmt_execute($stmt);
           $result = mysqli_stmt_get_result($stmt);

           if ($row = mysqli_fetch_assoc($result)){
                $pwdCheck = password_verify($pwd, $row['password']);
                if($pwdCheck == false) {
                    header("Location: ../login.php?error=wrongPassword");
                    exit();
                } else if ($pwdCheck == true) {
                   session_start();
                   $_SESSION['uId'] = $row['id'];
                   $_SESSION['username'] = $row['username'];

                    header("Location: ../profile/index.php?success");
                    exit();
                }
           }
        }
    }

} else {
    header("Location: ../login.php");
    exit();
} ```
Godfrey Kangwa
  • 9
  • 4

1 Answers1

-1

I can see many mistakes in your code.

  1. seems like you have missed entering the id param in the query. Here you have mentioned id & email, "SELECT * FROM users WHERE id=? OR email=?;"

But here (mysqli_stmt_bind_param($stmt, "ss", $mail, $pwd);) you are binding $mail and password and not id and email.

  1. You have used a extra semi colon ($sql = "SELECT * FROM users WHERE id=? OR email=?;";)
hurtlocker24
  • 11
  • 3