Why my login form allowing users to login with correct USERNAME, but incorrect PASSWORD? (See detail)

Question

I've made a login form using PHP and MySQL. Now the problem is that when I enter correct username and password, it logins, but when I enter correct username and correct "password+ANY_OTHER_CHARACTER", it still logins. Why is it happening?

For example: If the username and password stored in database are:

Username: username1
Password: 1213456

Then if I enter these credentials in login form, it logs me in.

But if I try following credentials:

Username: username1
Password: 1213456asdfjksdj

It still logs me INTO SAME account.

Why is it happening?

One more thing, it was working fine previously, but I've used some seesion variables and session_start() functions. I think the problem started after using session. Please help.

My login PHP code is:

 <?php session_start(); if(isset($_SESSION["cur_user_sess"]) && isset($_SESSION["cur_user_pass"])) { header("Location: welcomehome.php"); } ?> <?php $a=mysqli_connect('localhost', 'root','', 'onlinequiz'); if(isset ($_REQUEST['signup'])) { $c=$_REQUEST['uname']; $d=$_REQUEST['email']; $e=$_REQUEST['phone']; $f=$_REQUEST['pass']; $h="INSERT INTO signup(Name, Email, Phone, Password) VALUES ('$c', '$d', '$e', '$f')"; $i= mysqli_query($a,$h); if($i) { header("Location: login2.php"); } else { echo "error"; } } ?> <?php $a=mysqli_connect('localhost','root','', 'onlinequiz'); if (isset ($_REQUEST['login'])) { $c=$_POST['mail']; $d=$_POST['pass']; $e="SELECT * FROM signup WHERE Email='$c' and Password='$d'"; $f=mysqli_query($a,$e); if(mysqli_num_rows($f)==1) { $_SESSION["cur_user_sess"]=$c; $_SESSION["cur_user_pass"]=$d; header ("Location: welcomehome.php"); } else { $error2 = "Enter correct information"; } } ?> <?php $mysql=mysqli_connect('localhost','root','','onlinequiz'); $currentuser=$_SESSION["cur_user_sess"]; $sql = "SELECT * FROM signup WHERE Email='$currentuser'"; $result = mysqli_query($mysql, $sql); $row = mysqli_fetch_assoc($result); $_SESSION["profilename"]=$row["Name"]; //$_SESSION["profilepoints"]=$row["Points"]; $_SESSION["profilephone"]=$row["Phone"]; ?> 

Answer 1

Do you destroy the session or unset the curr_user_sess and curr_user_pass ?

<?php
session_destroy(); // Is Used To Destroy All Sessions

//Or

if(isset($_SESSION['curr_user_sess']))
unset($_SESSION['curr_user_sess']);  //Is Used To Destroy Specified Session
if(isset($_SESSION['curr_user_pass']))
unset($_SESSION['curr_user_pass']);
?>

Do this when logging out. If you don't, the session will stay set after you correctly login and you don't even get to the part where it checks the email and password you provided.

Answer 2

First, a few pointers.

$a, $b, $c? Stop doing that! Proper naming conventions! Your SQL query chould be "$query" for example, your MYSQLI connection could be "$dbh" or "$connection", etc. This makes code far easier to read through.

Second, you're dropping "unsanitized" values straight into a SQL query. Why is this bad? Because if someone enters the username 1' or '1' = '1 , they've just found out they can waltz into your entire system.

Passwords? Plaintext? You really want to encrypt that! Here's a little article that will get you going in the right direction .

Next, using $_REQUEST is generally a bad idea for 2 reasons. First, basic security, and second? Code maintenance. Instead break it down into $_POST and $_GET so that it at least identifies your data source.

Last but not least, try looking at this tutorial for PHP PDO. It's a far better way of handling DB interaction than Mysqli. More secure and less confusing, too.

Try this instead of your existing test login and let me know if it works.

$mysqli = new mysqli("localhost", "user", "pass", "db");

# Basic data sanitization
$pass = mysqli_real_escape_string($_POST['email']);
$mail = mysqli_real_escape_string($_POST['pass']);

$sql = "SELECT * FROM signup "
     . "WHERE Email = '$mail' AND password = '$pass'";
$result = $mysqli->query($sql);

if($result->num_rows == 1) {
echo "Logged in";
} else {
echo "Failed to sign in";
}