Click here to Skip to main content
15,937,127 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I am unable to login to my dashboard page with my query with PHP and Mysqli. any help will be appreciate, thanks.


What I have tried:

if(isset($_POST['email']) && isset($_POST['password'])){


    $sql = "SELECT * FROM vendors WHERE vendor_email='$email' AND password='$password'";
    $result = mysqli_query($conn, $sql);

    if (mysqli_num_rows($result) === 0) {

        $row = mysqli_fetch_assoc($result);

        if ($row['email'] === $email && $row['password'] === password_verify($password, $hash_password)) {

            echo "Logged in!";

            $_SESSION['email'] = $row['email'];

            $_SESSION['vendor_name'] = $row['vendor_name'];

            $_SESSION['id'] = $row['id'];

            header("Location: dashboard.php");


            echo "welcome";
            echo  $_SESSION['vendor_name'];

            exit();


     }

     else{

        echo "incorect Credentials";
    }



            }
}

?> 
Posted
Updated 18-May-23 21:40pm
Comments
Member 15627495 18-May-23 13:59pm    
Hello !


$row['password'] === password_verify($password, $hash_password)) // the right operation return a boolean,
// that make the equality hard. a password is wait, and the compare values could be 1 or 0

Quote:
PHP
$sql = "SELECT * FROM vendors WHERE vendor_email='$email' AND password='$password'";
Problem 1:
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.
PHP: SQL Injection - Manual[^]

Problem 2:
Your query only returns records where the password stored in the database matches the plain-text password entered by the user. That suggests you are storing the passwords in plain-text, which is extremely bad.

Quote:
PHP
$row['password'] === password_verify($password, $hash_password)
Problem 3:
You appear to be generating a hash of the password which the user has just entered, and then verifying that the password they just entered matches that hash. Essentially, you are testing that the password they just entered is the same as the password they just entered - a meaningless comparison.

Problem 4:
As pointed out in the comments, password_verify returns a bool. So unless the password is literally "true", that test can never pass.


You need to completely re-think your approach:
  • When the user signs up, or resets their password, use password_hash to generate a salted hash of the plain-text password. Store that hash in the database, never the plain-text password.
     
  • When the user logs in, select the record by username alone. Then pass the plaintext password they entered and the stored password hash from the database record to the password_verify method to ensure they match.
     
  • And for the love of Codd[^], use parameterized queries!

PHP: password_hash[^]
PHP: password_verify[^]
 
Share this answer
 
PHP
if(isset($_POST['email']) && isset($_POST['password'])){


    $sql = "SELECT * FROM vendors WHERE vendor_email='$email' AND password='$password'";
    $result = mysqli_query($conn, $sql);

    if (mysqli_num_rows($result) === 0 and count($result) === 1 ) { // one option by 'metadata' . only admin have it.

        $row = mysqli_fetch_assoc($result);

        if ($row['email'] === $email ) { // another test , but the first was very good !

            echo "Logged in!";

            $_SESSION['email'] = $row['email'];

            $_SESSION['vendor_name'] = $row['vendor_name'];

            $_SESSION['id'] = $row['id'];

            header("Location: dashboard.php");


            echo "welcome";
            echo  $_SESSION['vendor_name'];

            exit();


     }

     else{

        echo "incorect Credentials";
    }



            }
}

?> 


you just made a misuse about 'password_verify' [ logical error ], but you pipe good to reach your 'as admin' credential.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900