Php mysqli error query

Question

<?php
session_start();
include("includes/db.php");

?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Admin Login</title>
    <link rel="stylesheet" href="css/bootstrap.min.css">
    <link rel="stylesheet" href="css/login.css">
</head>
<body>
   <div class="container"><!-- container starts-->
    <form class="form-login" action="" method="Post"><!-- form-login starts-->
    <h2 class="form-login-heading"> Admin Login</h2>    
    <input type="text" class="form-control" name="admin_email" placeholder="Email Address" required>
    <input type="password" class="form-control" name="admin_pass" placeholder="Password" required>    
            <button class="btn btn-lg btn-primary btn-block" type="submit" name="admin_login">
          Log In
      </button> 
    </form><!-- form-login ends-->   


   </div><!-- container ends-->


</body>
</html>
<?php
if(isset($_POST['admin_login']))
{
    $admin_email=mysqli_real_escape_string($con,$_POST['admin_email']);
    $admin_pass=mysqli_real_escape_string($con,$_POST['admin_pass']); 
    $get_admin="select * from admins where admin_email='$admin_email' AND admin_pass=' $admin_pass'"; 
    $run_admin=mysqli_query($con,$get_admin);
    $count=mysqli_num_rows($run_admin);
    if($count==1){
        $_SESSION['admin_email']=$admin_email;
        echo"<script>alert('You are logged in into admin panel')</script>";
        echo"<script>window.open('index.php?dashboard','_self')</script>";
    } 
    else{
        echo"<script>alert('Email Or password is wrong')</script>";
    }
}    

?>

I have a problem in my query. In my login panel when i write the email and password which I have stored in my database the if condition fails and the else portion of the code is run even if I use the same password and email which I stored in my database.

Answer 1

I've just noticed that your query:

$get_admin="select * from admins where admin_email='$admin_email' AND admin_pass=' $admin_pass'";

has a space before the $admin_pass variable is used.

Try adjusting this to:

$get_admin="select * from admins where admin_email='$admin_email' AND admin_pass='$admin_pass'";

Answer 2

There's a space in your query where you pass in the admin password:

"AND admin_pass=' $admin_pass'"

should be:

"AND admin_pass='$admin_pass'"

Rather than fixing this bug though you should make some more major changes:

1. Don't build queries by manually appending variables passed in by your users otherwise you will be vulnerable to SQL injection attacks. You should be using prepared statements instead. See http://php.net/manual/en/mysqli.prepare.php . Although you are using mysqli_real_escape_string which will help prevent SQL-I its quite error prone compared to using prepared statements.
2. Don't store passwords in a database, you should at a minimum store them encrypted but preferably store a password hash instead. php even has 2 functions which do this for you password_hash to generate hashes: http://php.net/manual/en/function.password-hash.php and password_verify to check them: http://php.net/manual/en/function.password-verify.php