<?php
include("configure2.php");
session_start();
if(isset($_POST["signin"]))
{
$login=$_POST["mail"];
$pas=$_POST["passwd"];
$query="select * from signup where(Gmail='$login');";
$res=mysqli_query($con,$query);
$numRows=mysqli_num_rows($res);
if($numRows==1)
{
$row=mysqli_fetch_assoc($res);
if(password_verify($pas,$row['Passwd']))
{
$_SESSION["login_sess"]="1";
$_SESSION["login_email"]=$row['Gmail'];
header("location:main.html");
}
else
{
header("location:signin.php?loginerror=".$login);
}
}
else
{
header("location:signin.php?loginerror=".$login);
}
}
?>
Not sure what SQL engine uses parentheses for a where clause…
Hmm fine😌
What happens? Does it not find a row that matches the email address, or does the password not match? You go to the same error page for both faults, so have you debugged it to see which one it’s actually failing on? Presumably you’ve also checked that you’re getting the correct variables in from the form, and that your database column is big enough to store a hashed password that password_hash() creates, and that all your column names are correct?
Strictly speaking, you need an exit() after each of those header redirects otherwise execution will continue. You should also be using Prepared Statements instead of concatenating the user-supplied form data as you do here.
Do you have php’s error_reporting set to E_ALL and display_errors set to ON, preferably in the php.ini on your development system, so that php would help you by reporting and displaying all the errors it detects?
The error in your previous thread, concerning a variable letter-case mismatch and the problem in this thread, a likely column name mismatch, would be producing php errors that would help YOU find what’s causing the problem. In your insert query, the column name being used is Psswd. In this code, you are using ‘Passwd’ in the fetched data.
You also have a whole bunch of other inconstancies between the naming of things in your previous thread and this one that could be causing the code to not work (which there would be php errors to help you.)
Here’s a laundry list of things you should/should-not be doing -
- You need to detect if a post method form was submitted before referencing any of the form data.
- If you have more than one form on a page, use a hidden field with a unique value to control which form processing code to run.
- Don’t copy variables to other variables for nothing. Just use the original variables.
- Don’t use different names and different letter-cases for the same piece of data. This is just more work for you in keeping track of the different names. You are using ‘mail’, ‘login’, and ‘Gmail’ for the email address. Using ‘passwd’, ‘pas’, and either ‘Passwd’ or just ‘Psswd’ for the password.
- You need to trim, then validate all inputs before using them, storing user/validation errors in an array (like you were doing in the previous thread), using the field name as the main array index.
- If you list out the columns you are SELECTing it helps prevent mistakes and in this case would tell us what your column names and their letter-case actually is.
- You need to ALWAYS use a prepared query when suppling external, unknown, dynamic values to the query when it gets executed. If it seems like the mysqli extension is overly complicated and inconsistent, especially when dealing with prepared queries, it is. This would be a good time to switch to the much simpler and more modern PDO extension.
- You ALWAYS need to have error handling for statements that can fail. For database statements that can fail - connection, query, prepare, and executive, the simplest way of adding error handling, without adding logic at each statement, is to use exceptions for errors (this is the default setting now in php8+) and in most case simply do nothing in your code and let php catch and handle the exception, where php will use its error related settings to control what happens with the actual error information (database statement errors will ‘automatically’ get displayed/logged the same as php errors.)
- Your form processing code and form should be on the same page (like in your previous thread.) This results in the simplest code, that’s easier to secure, that provides the best user experience.
- The only user data you should store in a session variable upon successful login is the user id (autoincrement primary index.) You should query on each page request to get any other user data.
- The only redirect your post method form processing should have should be upon successful completion of the code and it should be to the exact same URL of the current page to cause a get request for that page.
- As already stated, every redirect needs an exit/die statement to stop php code execution.
- If you want to display a one-time success message, store it in a session variable, then test, display, and clear that variable at the appropriate location in the html document.
- When ‘failure’ conditional logic is shorter than the ‘success’ conditional logic, if you invert the condition being tested and put the ‘failure’ logic first, it makes your code easier to follow.
- Temporally, for debugging, echo a specific message in the conditional logic for the case of the email not matching and the password not matching so that you can determine which one is failing.
- By putting the form processing and the form on the same page, you can repopulate the form field values with the existing form data so that the user doesn’t need to keep reentering values.
- Any dynamic value you output in a html context should have htmlentities applied to it to help prevent cross site scripting.
Thanks😌
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.