PHP登录脚本无法正常工作

Question

I am trying to make a login form with php and mysql and failed from past 3 days.

I have basically php form and on the same page the scripting for logging the user into the website.

form.php

<form id="superAdminForm" method="post" action="">
   <input type="email" name="email" required class="txtInput" placeholder="Email..." autocomplete="off"/> <br />
   <input type="password" name="password" required class="txtInput" placeholder="Password..."/> <br />
   <input type="submit" name="submit" value="Enter" id="submit" />
</form>

php code for form.php

<?php
    require("../php_includes/db-connect.php");

    if (isset($_POST["submit"])) {
        $email = $_POST["email"];
        $password = $_POST["password"];

        $sql = "SELECT * FROM users WHERE email='$email' AND password='$password' LIMIT 1";
        $query = mysqli_query($con, $sql);

        $row = mysqli_fetch_array($query);

        if ($row['email'] == 1) {
            header("Location: admin-index.php");
        }
    }

    mysqli_close($con);

?>

The problem is that the login is not getting successfull. I don't know the reason behind it. So please help me in this. Also guide me where I am making mistakes.

I am new in PHP and am trying my best to cope up with my knowledge.

Answer 1

I think that what you need to do is to separate your view logic from your authentication logic. Move the PHP block into its own file, and set the action parameter of your form to that file (relative location).

This is because all of that php code is interpreted by the server before being sent to the client, and so this form can't actually utilize that PHP logic in the same page.

You'll also probably want to write a fallback in case authentication fails that will redirect you back to the login page (or wherever you'd like), otherwise the user will be left with a white screen.

EDIT

As stated by others, you should look into security and especially hooking into $_SESSION s. Your code is also going to need some work. I don't think $row['email'] == 1 will ever be true, and so your script will fail and ultimately do nothing. Again, add an else statement to handle authentication failure.

As far as a fix, I'd suggest comparing $row['email'] == $email in the if, but that would also make the email check in your SQL query redundant. I'd suggest restructuring your logic.

Answer 2

1.. Talking about security

your code is vulnerable to sql injection so even if it will work its not useful

^^ source

' or '1'='1' /* ' will do magic

so either use mysqli_real_escape_string function For manually escaping special characters in string or Use prepared statements and parameterized queries (Recommended).

2.. email='$email' AND password='$password' LIMIT 1";

so why not email should be unique or check when login that email is already exist or not and if exist than show the error message like (Email already exist)

so you wont need to use limit 1 which really makes no sense

3.. Why are you not setting login id or something in SESSION so that you can determine that use is logged in

your above login script does nothing it just check weather the email and password is present in database or not

4.. plan text as password is really bad idea instead use Hashing check this How do you use bcrypt for hashing passwords in PHP?

Good Read

1. How can I prevent SQL injection in PHP?

Answer 3

rows=mysqli_num_rows( $query);
if ($rows == 1) {
     header("Location: admin-index.php");
}

You are comparing an array to an int,use the code above.