-1

I've been stuck in this problem for two weeks. I have a flutter app and I'm trying a simple login with a username and password and I'm checking if there's a match to the username and password in the data base. I'm using php as a back-end but it seems that php can't see the post request body at all. I tried it at postman and even if the username and password are correct it always gives me "Invalid Username or password please try again". I think that it returns an empty response but I don't know why.

the status code= 200.

php code:

    <?$con = include "conn.php";
    $json = file_get_contents('php://input');
   $obj = json_decode($json);

    $username = $obj['username'];

  $password = $obj['password'];

  $loginQuery = "select * from user where username = '$username' andpassword = '$password' ";

 $check = mysqli_fetch_array(mysqli_query($con,$loginQuery));

if(isset($check)){
    
     $onLoginSuccess = 'Login Matched';
     
     $SuccessMSG = json_encode($onLoginSuccess);
     
     echo $SuccessMSG ; 
 
 }
 
 else{
    $InvalidMSG = 'Invalid Username or Password Please Try Again' ;
     
    $InvalidMSGJSon = json_encode($InvalidMSG);
     
     echo $InvalidMSGJSon ;
 
 }

 mysqli_close($con);
?>

Also when I print the $obj or $username to see what it has, it gives nothing.

Thanks if you made it so far and sorry for the long text. i will be very thankful if someone save me.

Reem
  • 31
  • 6
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Oct 15 '21 at 21:34
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Oct 15 '21 at 21:34
  • Inspect your variables, one by one, never assume they hold the data you expect. Never `echo` for debugging, always use `var_dump` or similar to see what is really in there. Turn on PHP and MySQL error reporting. Although I agree about the injection and password problems, you should be able to take that generated SQL and test it in an SQL tool to see the results. – Chris Haas Oct 16 '21 at 14:35
  • Thank you. I'm new to php but I'll take that in consideration. – Reem Oct 18 '21 at 11:13

1 Answers1

0

I solved that. Basically I just created a new user table and it worked like magic.

Reem
  • 31
  • 6