I'm creating a simple user registration and login system. The registration works fine and it stores the users in DB. But when i try to login even if i get the username/password correct it still returns that It's not correct. I can't seem to find the problem here is the code. Login form:
<form method="post" action = 'plogin.php'>
<h2 class="sr-only">Login Form</h2>
<div class="illustration"><i class="icon ion-ios-navigate"></i></div>
<div class="form-group"><input class="form-control" type="email" name="email" placeholder="Е-маил"></div>
<div class="form-group"><input class="form-control" type="password" name="password" placeholder="Лозинка"></div>
<div class="form-group"><button class="btn btn-primary btn-block" type="submit">Најава</button></div><a href="#" class="forgot">Ја заборавивте лозинката? Кликнете овде.</a></form>
Validation and checking if username and password exists:
<?php
session_start();
if(!empty($_POST)) {
include('includes/general.php');
if(!$connection){
die("Failed to connect to database ".mysqli_connect_error());
}
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$hashedPassword = hash('SHA256', $password);
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";
$result = mysqli_query($connection, $query) or die (mysqli_error($connection));
if(mysqli_num_rows($result) > 0) {
$_SESSION = mysqli_fetch_array($result);
echo "<script>window.location.href = 'user.php';</script>";
} else {
echo "<script>alert('invalid username/password');
window.location.href= 'login.php';</script>";
}
} else {
echo "<script>window.location.href = 'index.php';</script>";
}
You've mixed your variables. I guess your password is stored as hash, but you're comparing it to the unhashed value.
try instead
$password = mysqli_real_escape_string($connection, $_POST['password']);
$hashedPassword = hash('SHA256', $password);
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$hashedPassword'";
Even though I wonder why you try to put the full result into $_SESSION. I wouldn't do that, if you need to have some values in your session (eg userId, email and username or similiar) I would just store those instead of all columns from the row. Also doing a query without specification of columns you want to retrieve is not best practice, see this topic for explaination.
You maybe want to check PHP-reference for password_hash and password_verify to improve your concept.
did you mean
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$hashedDassword'";
?
and also, I Highly advise AGAINST writing your own registration and sign up form, unless this is for an exercise.
嘿,不要对 PHP 变量使用单引号,请使用 string con cat (.) 运算符
$query = "SELECT * FROM users WHERE email = '".$email."' AND password = '".$password."'";
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.