login system wont log me in no matter what

Question

I am making a login/register system in php. For some reason in the login.php file i can not login any user. Bellow is the login.php file. I have the db connection and session start in connect.php file and any function needed in the functios.php file.

include("connect.php");
include("functions.php");
if(logged_in())
{
 header("location: profile.php");
 exit();
}

$error = "";



if(isset($_POST['submit']))
{

 $email = mysqli_real_escape_string($con,$_POST['email']);
 $password = mysqli_real_escape_string($con,$_POST['password']);

  $result=mysqli_query($con,"SELECT id FROM users WHERE email='$email' and password='$password'");
  $retrievePassword=mysqli_fetch_assoc($result);
  $count=mysqli_num_rows($result);

     if($count == 1)
     {
       $_SESSION['email']=$email;
       if($checkBox="on")
       {
         setcookie("email",$email,time()+3600);
       }
       header("location: profile.php");
     }
 else
 {
     $error="Emai or Password is inccorect, check again!";
 }

}






<div id="error"><?php echo $error;?></div>

   <div id="link">
       <a href="index.php">Register</a>
       <a href="login.php">Login</a>
   </div>

   <div id="formDiv">
       <form method="post" action="login.php">
            <label>Email:</label><br>
           <input type="text" name="email"><br><br>
            <label>Password:</label><br>
           <input type="password" name="password"><br><br>
           <input type="checkbox" name="keep">
           <label>Keep me logged in</label><br><br>
           <input type="submit" name="submit" value="Login">
       </form>
   </div>
</div>

Out of curiosity> Does the connection `$con` gat anything to do with with a post value `$_POST['email']`? `$email = mysqli_real_escape_string($con,$_POST['email']);` Shouldn't it be just `$email = $_POST['email'];` — Omari Victor Omosa, Jul 19 '16 at 20:48
the mysqli_real_escape_string takes 2 parameters, 1 is the $con and the other is your variable. THE mysqli_real_escape_string is for security reasons. It for mysql injection attacks — njazi, Jul 19 '16 at 20:51
What about just living it like `$email = mysqli_real_escape_string($_POST['email']);` — Omari Victor Omosa, Jul 19 '16 at 20:56
assuming you have validated for duplicates emails. i would suggest `if($count > 0) {` instead of `if($count == 1) {` which is a more sure way — Omari Victor Omosa, Jul 19 '16 at 21:02
i have tried that also and still wont let me in.[link](http://iek-exam.tk/login.php) here check it out. — njazi, Jul 19 '16 at 21:05
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jul 19 '16 at 21:14
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Jul 19 '16 at 21:14
Can you post the markup for your login form? I am going to guess that you don't have something named 'submit' — Jay Blanchard, Jul 19 '16 at 21:16
i have a submit button but i valued it in login button. As for the password in the registration.php file i make ti a a hash encrypt but in the login file no matter what i do even when i use the password_verify function still wont login. — njazi, Jul 19 '16 at 21:20
Place a `print_r($_POST)` or `var_dump($_POST)` in the PHP page which receives the form submission. Fill out your form, submit and look closely at the data printed to the screen. Share those results with us. — Jay Blanchard, Jul 19 '16 at 21:28
Emai or Password is inccorect, check again! Array ( [email] => ek@gmail.com [password] => 12345678 [submit] => Login ) — njazi, Jul 19 '16 at 21:31
should i relly give you the password? I dont know if i should... — njazi, Jul 19 '16 at 21:36
Add a `print_r($retrievePassword);` right after you perform the fetch. What does that contain? — Jay Blanchard, Jul 19 '16 at 21:36
Really? Seriously? Your text password is 123456 and you're worried about giving us the password contained in the database? — Jay Blanchard, Jul 19 '16 at 21:37
i have stored my files in a domain thats the proble. Here is the pass 1234567890. What will it help you with? — njazi, Jul 19 '16 at 21:38
this is the fetch `$retrievePassword=mysqli_fetch_assoc($result);` — Jay Blanchard, Jul 19 '16 at 21:42
Or the problem could be the cookies you are storing for the `$email` it might be recognizing the stored variable for email. try to unset the '$email' variable first then try again — Omari Victor Omosa, Jul 19 '16 at 21:47
@ Jay Blanchard i am sorry, the password you asked for the database is the user OF the database not the user of the login. the Passwords are correct because i have registered also new users and still the same result — njazi, Jul 19 '16 at 21:47
i have deleted the cookie code and still the same, ass for the error log no idea... — njazi, Jul 19 '16 at 21:48
The error logs are on your web server and you need to be able to examine them. They will tell you what is going on, but I can tell you right now that your query is not returning any results because `$retrievePassword` is empty. Go read the links in comments above and you will see how to do this with proper error checking. Right now we are chasing ghosts. — Jay Blanchard, Jul 19 '16 at 21:49
After deleting the cookie code then unset the `$email` variable. It is still not free i believe. log it out — Omari Victor Omosa, Jul 19 '16 at 21:50
i am sure that the email is logged out... as for the log file i will find it now gime me a sec... — njazi, Jul 19 '16 at 21:53
Add this `or die(mysqli_error());` and see if there is an error . add it here `$result=mysqli_query($con,"SELECT id FROM users WHERE email='$email' and password='$password'") or die(mysqli_error());` — Omari Victor Omosa, Jul 19 '16 at 21:57
i deleted the mysqli_fetch_asocc and i deleted the password from the query and it worked. So the problem is the mysqli_fetch_asocc... — njazi, Jul 19 '16 at 22:00
If you delete the password from the query anybody can login as long as the email is in the database — Omari Victor Omosa, Jul 19 '16 at 22:06
i saw the log errors and there is nothing about the problem of the password. Thank you all for the help now that i know whats exactly the proble i will find a way — njazi, Jul 19 '16 at 22:10
if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { echo "
id: ". $row["id"]. " - Name: ". $row["email"]. " " . $row["password"] . "
"; } } else { echo "0 results"; } $con->close(); **bold**I did this just now and it shows everything, email id pass all that we need, so the query work fine, the hell is wrong then????????? — njazi, Jul 19 '16 at 23:16
How many results are you getting back from the query? You're testing for exactly 1, is it possible you have more than one row? — Jay Blanchard, Jul 20 '16 at 11:42
I really don't get it. Why are you even using num_rows when you're fetching a row? I wonder, after you fetched the one single row from a resultset ... and call num_rows ... does it return 1? does it perhaps free the result because it's not needed anymore? have you tried moving the num_rows one line above? anyway, i wouldn't num_rows at all. — Jakumi, Jul 20 '16 at 21:48
@Jacumi The fetching for as i know is only to see if the passwords match, can you explain it better? — njazi, Jul 23 '16 at 01:29

login system wont log me in no matter what

0 Answers0