Ok. It looks like your friend knows a little bit of what he's doing. But it's no entirely correct. The first issue I can already see is the
$_POST variables that are just sitting there. If this file gets accessed directly, then you'll get an
Undefined Index error message pertaining to those 2
$_POST variables. For this, you need to check whether or not the request was through a
The second thing I can see that is dangerous and wrong is that the passwords are stored as plain text. Since you said you don't code professionally, I will give you the benefit of the doubt and explain to you why this is dangerous and wrong.
So many moons ago when
PHP was first created and no one really cared about security, people used to create their own ways of dealing with passwords. Some used to just store them as plain text. Plain text means that they are being stored as you see them. So for example, if the password is something like
password123. That's exactly what you see in the database. There's nothing to protect them. If a hacker was able to get into your database and look at those passwords, then you are screwed.
A while back, Reddit had a huge backlash because of this exact problem. What they thought was to store user passwords as plain text so that it would be easier for the user to see when they requested a password reset. However, when their database was hacked, the entire user base was at risk. Well, beyond at risk. They were screwed. If you used the same email and passwords for other sites, then good game.
Others have learned to use
password hashing algorithms.
Password hashing algorithms in its nature is an extremely difficult topic to get into. They also call this
Cryptography requires a huge amount of knowledge in security and the different algorithms that exist today. This isn't your type of "Hey, let's mash this password with that password". No. You have to understand what amount of bytes are required to make a strong
hashing algorithm, you have to understand what length is required for one, and so forth. The topic is out of this range for you and me because even if you "think" you have created a strong
password hashing algorithm, it's actually going to be super weak compared to one that
cryptography experts make. I don't want to be going too deep into this because you won't understand it so I'll just suggest you to use the default
The next problem I can see is that you are trying to use
fetch_assoc isn't part of
stmt is prepared statements.
There are more problems, but I'll just let that information sink in first.