0

I am trying to use the below code to create a login form. The problem being after registration when I am trying to login, getting an error message "Username or Password don't match" even though email & password are correct. I tried "$num <=1" and allows me to log in but obviously it is not authenticating the login details in that case. Any help will be appreciated.Most importantly this code is working fine on a local server like XAMPP but problem starts when using a host server like hostgator (no issue to connect with the server).

  <?php
         session_start(); // Starting Session

        #Database connection
         include('../config/connection.php');


        $error=''; // Variable To Store Error Message
        if (isset($_POST['submit'])) 
        {
        if (empty($_POST['email']) || empty($_POST['password'])) {
        $error = '<p class="alert alert-danger">One or either field is missing</p>';
        }
        else
        {
        // Define $username and $password
        $email=$_POST['email'];
        $password = $_POST['password'];


        // To protect MySQL injection for Security purpose
        $email = stripslashes($email);

        $email = mysql_real_escape_string($email);


        // SQL query to fetch information of registerd users and finds user match.
            $q = "SELECT * FROM users WHERE email = '$email' AND password = md5(SHA1('$password'))";
            $r = mysqli_query($dbc, $q)or die(mysqli_error());

            $num = mysqli_num_rows($r);

            if($num ==1){

                $_SESSION['username'] = $email;
                header('Location:Index.php');

            } else {

        $error = '<p class="alert alert-danger">Username or Password don\'t match</p>';
        }
        mysqli_close($dbc); // Closing Connection
        }
        }
        ?>
Gautam P Behera
  • 171
  • 2
  • 13
  • `md5(SHA1('$password'))` this doesn't look right. You can't use functions inside a string like that. Assign it to a variable outside first. -- You are also vulnerable to SQL injection, take a look at [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). -- `mysql_real_escape_string` won't work (as you are using `mysqli_`) and isn't sufficient to filter user-data. – Qirel Dec 05 '15 at 14:21
  • Bring up a MySQL console and see if `SELECT md5(SHA1('Your Password'))` matches what's in your database. Also a quote in your password may break your query – Aaron W. Dec 05 '15 at 14:23
  • Thanks Qirel will keep that in mind. – Gautam P Behera Dec 05 '15 at 15:58
  • @AaronW. did it, the password it is echoing is correct but still can't login – Gautam P Behera Dec 05 '15 at 16:00
  • Throw an `echo $q;` in there and run that on your console - verify there are no issues with the return. – Aaron W. Dec 06 '15 at 02:08

1 Answers1

-1

in your query the $password should not be between the quotes, cause then it will seek for the string instead of the value of the variable.

$q = "SELECT * FROM users WHERE email = '$email' AND password = 'md5(SHA1($password))'";

make sure your password is hashed in your database

Skyyy
  • 1,539
  • 2
  • 23
  • 60
jeremiah kartodimedjo
  • 11
  • 2
  • No it won't - the whole thing is surrounded by double quotes and moving the single quotes around the SQL function names won't cause them to be used. – Aaron W. Dec 06 '15 at 02:08