0

I'm currently working on a project for my php course. The project involves making both a log-in and registration form, and to validate their information using an SQL query. I have most of it working, but the page will let you log in if you type an email address from the database and you put anything in the password field (regardless of it being correct). Here is the coding that I have, with the code to display the form first, named 'login.php':

<?php
ini_set("display_errors","on");
error_reporting(E_ALL | E_STRICT);
$labels = array("email" => "Email:",
"password" => "Password:");
$submit = "Submit";
?>
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Login Form</title>
</head>

<body>
<h2>Login Form</h2>
<?php
echo "<form action='' method='POST'>";
foreach($labels as $field => $label)
{
    if($field != "password")
    {
        echo("<div class='field'><label for='$field'>$label</label>
            <input type='text' name='$field' id='$field' value='".@$$field."'></div>\n");
    }
    else
    {
        echo("<div class='field'><label for='$field'>$label</label>
            <input type='password' name='$field' id='$field' value='".@$$field."'></div>\n");
    }
}
echo"<div class='field'><input type='hidden' name='submitted' value='yes'>
    <input type='submit' name='submit' value='$submit'></div>";
?>
</body>
</html>

The following code is the validator:

<?php
ini_set("display_errors","on");
error_reporting(E_ALL | E_STRICT);
include("dbinfo2.inc");
?>
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Untitled Document</title>
<link href="css/styles.css" rel="stylesheet" type="text/css" />
</head>

<body>
<?php
if(isset($_POST['submitted']) and $_POST['submitted'] == "yes")
{
    foreach($_POST as $field => $value)
    {
        if(empty($value) or !empty($value))
        {
            $email_patt = "/^.+@.+\\..+$/";
            if(preg_match("/email/i",$field))
            {
                if(!preg_match($email_patt,$value))
                {
                    $error_array[] = $field;
                }
            }
            if(preg_match("/password/i",$field))
            {
                if(empty($value))
                {
                    $error_array[] = $field;
                }
            }
            $good_data[$field] = strip_tags(trim($value));
        }
    }
    if(@sizeof($error_array) > 0)
    {
        $message = "<p class='error'>Your login information is incorrect.</p>";
        echo $message;
        extract($good_data);
        include("login.php");
        exit();
    }
    else
    {
        $cxn = mysqli_connect($host,$user,$passwd,$dbname) or die("Couldn't connect to server.");
        foreach($good_data as $field => $value)
        {
            $clean_data[$field] = mysqli_real_escape_string($cxn,$value);
        }
        $sql = "select * from customerdata where email='$good_data[email]' and password='$good_data[password]'";
        $result = mysqli_query($cxn,$sql) or die("<p class='error'>Login information is invalid.</p>");
        include("success.php");
    }
}
else
{
    include("login.php");
}
?>
</body>
</html>

What do I need to change to make this function correctly?

Improve this question
1
  • 1
    You shouldn't iterate over the POST values, use a proper name for the input, and just check the value against the database, you're just complicating it. For a production site you would never do it this way, you don't store passwords, you store salted hashes. Commented Apr 15, 2015 at 20:30

1 Answer 1

Reset to default
1

You're success/failure condition shouldn't be the result of the mysqli_query call. That will just indicate if the query executed successfully or not. (http://php.net/manual/en/mysqli.query.php)

You login is always succeeding because your query is syntactically valid and runs without errors.

You'll want to check the number of returned rows to confirm that there is exactly one.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.