0

Recently, I was making a login and signup page, where a mail gets sent if you sign up to confirm your account. I used MySQL for the account list, and have a 'confirm' column with 0 (unconfirmed) or 1 (confirmed).

Now, I created the following script to login, but it doesn't seem to be working. After executing this script, I see the "Processing...", then I see the "Such Sadness" part. I have checked in PHPMyAdmin that the account exists, and that it is actually confirmed. MySQL_Base is the file with the connection to the database, and that file is included in other files where the script works.

What is exactly the problem here?

ini_set('display_errors',1);
ini_set('display_startup_errors',1);
error_reporting(-1);
$email = $_POST['email'];
$password = $_POST['password'];
include("mysql_base.php");
echo "Processing...<br>";
$sql = "SELECT * FROM pages_accounts WHERE confirm='1' AND email='".$email."' AND pass='".$password."' LIMIT 1";
if($result = mysqli_query($conn, $sql) &&  $result->num_rows > 0){
  echo "FOUND UR ACCOUNT. MUCH HAPPINESS. SUCH GLAD. WOW REDIRECTING...";
} else {
  echo "SUCH SADNESS. NO ACCOUNT WITH SUCH NAME. WEIRD RETURN. WOW. WHY NOT <a href='loginSignup.php'>SIGNUP</a>?";
}
FoxInFlame
  • 720
  • 10
  • 20
  • 1
    You're mixing `mysql_` and `mysqli_` functions. Those are two separate libraries, and don't work together. – andrewsi Oct 20 '15 at 15:04
  • @andrewsi Where have I mixed them up? – FoxInFlame Oct 20 '15 at 15:05
  • `if(mysql_fetch_array($query) !== ` – andrewsi Oct 20 '15 at 15:05
  • @andrewsi I just tried replacing `mysql_fetch_array` with `mysqli_fetch_array`. Doesn't work. – FoxInFlame Oct 20 '15 at 15:07
  • Be aware that your code is *wide open* to **SQL injection attacks**. Basically any user can execute any arbitrary SQL code they want on your server. – David Oct 20 '15 at 15:07
  • @pokekart2002 - look at Alex's answer. You're making _2_ calls to the result set in your code, and if there's only one matching row in the database, the second call won't return anything. – andrewsi Oct 20 '15 at 15:08
  • @David How? I'm.. Well.. Pretty new to MySQL. – FoxInFlame Oct 20 '15 at 15:09
  • @pokekart2002: Read this: http://php.net/manual/en/security.database.sql-injection.php And look at this: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php The general rule is that you never want to put user input directly into your SQL queries. That results in executing user input *as code*. Treat user input as values, not as executable code. – David Oct 20 '15 at 15:11

1 Answers1

1

Replace these 3 lines:

$query = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($query);
if(mysql_fetch_array($query) !== false){

with this one:

if($result = mysqli_query($conn, $sql) &&  $result->num_rows > 0){

UPDATE Last version after discussion in chat:

if($result = mysqli_query($conn, $sql)) { 
   if ($result->num_rows > 0){ 
      echo "FOUND UR ACCOUNT. MUCH HAPPINESS. SUCH GLAD. WOW REDIRECTING..."; 
   } else { 
      echo "SUCH SADNESS. NO ACCOUNT WITH SUCH NAME. WEIRD RETURN. WOW. WHY NOT <a href='loginSignup.php'>SIGNUP</a>?"; 
   } 
} else { 
   echo "Errormessage: %s\n". mysqli_connect_error(); 
}
Alex
  • 16,739
  • 1
  • 28
  • 51
  • Compact. And it works. Thank you. It IS supposed to be `!=` right? – FoxInFlame Oct 20 '15 at 15:11
  • No, I would suggest to switch your `echo`s. The way when `true` should be the first one – Alex Oct 20 '15 at 15:12
  • Is that better, than doing `!=`? If so why? It is basically the same thing, if my knowledge is correct... – FoxInFlame Oct 20 '15 at 15:12
  • that is absolutely up to you :-) your project, your code :-) I like more PDO object variant than mysqli. so it is just personal preferences :-) – Alex Oct 20 '15 at 15:14
  • Now what? I tried adding a few more pieces of code, and it showed up as `Undefined Variable: result in ...`. The code works, but it's kinda annoying. I removed all the code, copy and pasted it from this page, and tried again. Same result. What could be the solution? – FoxInFlame Oct 20 '15 at 18:08
  • @pokekart2002 post your new code fragment as new question :-) – Alex Oct 20 '15 at 18:10
  • Couldn't be bothered. Same topic, so I edited the question. Ignore how I haven't switched the `echo`s around yet, but it always shows up as FOUND UR ACCOUNT. – FoxInFlame Oct 20 '15 at 18:11
  • because you didn't switch `echo`s for positive and negative flow for condition I provided. and did you change table definition? why did you change `password='".$password."'` to `pass='".$password."'` ? – Alex Oct 20 '15 at 18:15
  • Yes I changed the Table, because it appeared to be a little buggy using PASSWORD as a column name. Alright, I switched the echo's around. Still. Same problem. – FoxInFlame Oct 20 '15 at 18:17
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/92889/discussion-between-pokekart2002-and-alex). – FoxInFlame Oct 20 '15 at 18:18