2

Ok i know this is the wrong way, i haven't implement salt and other small secure tips but now i need to understand what is the problem here, then i can implement other secure functions to the script, thanks for help :) When run this, the script return Login Error, i can understand why, i print the password $_POST['password'] and it is same on database but when try to print $col2 (the password get from database ) return nothing. Here is the code:

<?php

$mysqli = new mysqli("localhost", "root", "*******", "test");
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}
/* prepare statement */
if ($stmt = $mysqli->prepare("SELECT username, password FROM users WHERE username=? AND password=?")) {
    $stmt->bind_param("ss" , $username, $password);
    $stmt->execute();
    /* bind variables to prepared statement */
    $stmt->bind_result($col1, $col2);
    $stmt->store_result();
    /* fetch values */
    while ($stmt->fetch()) {
        printf("%s %s\n", $col1, $col2);
    }

    if($col1 && $col2 == $username && $password){
    $_SESSION['Admin']; //test - not to be implemented
    session_start(); //Test - not to be implemented
    header("location index2.php");
    }else{echo "Login Error";} 
    /* close statement */
    $stmt->close();
}
/* close connection */
$mysqli->close();
?>
Improve this question
2
  • 2
    $col1 && $col2 == $username && $password where do you saw this kind of syntax? In fact you haven't provided us info about $username and $password. Where do you get them from? Are $username nad $password the posted values? You are binding them, so it's from the user? How do you declare it? Commented Oct 31, 2013 at 13:24
  • When it comes to login script, then you should not try to create everything from scratch. There is so much that could go wrong. Commented Oct 31, 2013 at 13:29

4 Answers 4

Reset to default
2 
if($col1 && $col2 == $username && $password){

This statement checks if $col1 is TRUE and $col2 == $username and $password is TRUE.

This condition will never be true and your script will always display that error message.

Consider the following example:

$username = $col1 = 'user';
$password = $col2 = 'pass';
var_dump($col1 && $col2 == $username && $password);

This returns bool(false).

So, to fix the issue, you can change your code as follows:

if($col1 == $username && $col2 == $password) {
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

if($col1 && $col2 == $username && $password) what is it? :)

In php it means that if $col1 and $col2 has any value other than zero and $username and $password have also values other than 0 then it's OK

you need create something like

if($col1 == $username && $col2 == $password)

if you keep md5 hashes in db use

if($col1 == $username && $col2 == md5($password))

or do it in mysql that has md5 function too.

I have noticed that you start session after printf("%s %s\n", $col1, $col2); which will cause headers already sent.

$_SESSION['Admin']; this will cause also notice beacuse this variable is undefined

and another problem is with header() function. You can't print anything before this function cause it will also cause 'headers already sent'.

Improve this answer

Comments

0

Some obvious issues:

session_start(); must precede any $_SESSION variables use

header("location index2.php"); headers must be sent before any other stuff

header("location index2.php"); no colon after location

Improve this answer

Comments

0

In addition to the problems that other people have noted in their answers, you are also mixing procedural mysqli statements and object-oriented mysqli statements.

Since you start by initializing a new mysqli(), you must follow the object oriented syntax.

Change mysqli_connect_errno() to $mysqli->connect_errno.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.