Unable to login to my dashboard page using the below PHP code

Question

1.00/5 (1 vote)

See more:

I am unable to login to my dashboard page with my query with PHP and Mysqli. any help will be appreciate, thanks.

What I have tried:

if(isset($_POST['email']) && isset($_POST['password'])){


    $sql = "SELECT * FROM vendors WHERE vendor_email='$email' AND password='$password'";
    $result = mysqli_query($conn, $sql);

    if (mysqli_num_rows($result) === 0) {

        $row = mysqli_fetch_assoc($result);

        if ($row['email'] === $email && $row['password'] === password_verify($password, $hash_password)) {

            echo "Logged in!";

            $_SESSION['email'] = $row['email'];

            $_SESSION['vendor_name'] = $row['vendor_name'];

            $_SESSION['id'] = $row['id'];

            header("Location: dashboard.php");


            echo "welcome";
            echo  $_SESSION['vendor_name'];

            exit();


     }

     else{

        echo "incorect Credentials";
    }



            }
}

?>

Posted 18-May-23 7:50am

Jeffersonballer

Updated 18-May-23 21:40pm

Add a Solution

Comments

Member 15627495 18-May-23 13:59pm

Hello !


$row['password'] === password_verify($password, $hash_password)) // the right operation return a boolean,
// that make the equality hard. a password is wait, and the compare values could be 1 or 0

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2023-05-18T21:40:00

Quote:

PHP

$sql = "SELECT * FROM vendors WHERE vendor_email='$email' AND password='$password'";

Problem 1:
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.
PHP: SQL Injection - Manual[^]

Problem 2:
Your query only returns records where the password stored in the database matches the plain-text password entered by the user. That suggests you are storing the passwords in plain-text, which is extremely bad.

Quote:

PHP

$row['password'] === password_verify($password, $hash_password)

Problem 3:
You appear to be generating a hash of the password which the user has just entered, and then verifying that the password they just entered matches that hash. Essentially, you are testing that the password they just entered is the same as the password they just entered - a meaningless comparison.

Problem 4:
As pointed out in the comments, password_verify returns a bool. So unless the password is literally "true", that test can never pass.

You need to completely re-think your approach:

When the user signs up, or resets their password, use password_hash to generate a salted hash of the plain-text password. Store that hash in the database, never the plain-text password.
When the user logs in, select the record by username alone. Then pass the plaintext password they entered and the stored password hash from the database record to the password_verify method to ensure they match.
And for the love of Codd[^], use parameterized queries!

PHP: password_hash[^]
PHP: password_verify[^]

Member 15627495 · Answer 2 · 2023-05-18T20:26:00

PHP

if(isset($_POST['email']) && isset($_POST['password'])){


    $sql = "SELECT * FROM vendors WHERE vendor_email='$email' AND password='$password'";
    $result = mysqli_query($conn, $sql);

    if (mysqli_num_rows($result) === 0 and count($result) === 1 ) { // one option by 'metadata' . only admin have it.

        $row = mysqli_fetch_assoc($result);

        if ($row['email'] === $email ) { // another test , but the first was very good !

            echo "Logged in!";

            $_SESSION['email'] = $row['email'];

            $_SESSION['vendor_name'] = $row['vendor_name'];

            $_SESSION['id'] = $row['id'];

            header("Location: dashboard.php");


            echo "welcome";
            echo  $_SESSION['vendor_name'];

            exit();


     }

     else{

        echo "incorect Credentials";
    }



            }
}

?>

you just made a misuse about 'password_verify' [ logical error ], but you pipe good to reach your 'as admin' credential.

Unable to login to my dashboard page using the below PHP code

2 solutions

Solution 2

Solution 1

Add your solution here

Preview 0