1
<?php
session_start();
$conn=mysqli_connect('localhost','root','');
$name=$_POST['name'];
$password=$_POST['password'];
$UserType=$_POST['cmbUser'];
if ($UserType=="Admin")
{
     mysqli_select_db($conn,"prison") or die("Cannot connect to database");
     $sql = "select * from Admin_Tbl where name='".$name."' and 
     password='".$password."'";
     $result = mysqli_query($conn,$sql);
     $records = mysqli_num_rows($result);
     $row = mysqli_fetch_array($result);
     if ($records==0)
     {
          echo $records;
          echo '<script type="text/javascript">alert("Wrong UserName or Password");
               window.location=\'login2.php\';</script>';
     } 
     else 
     {
          header("location:adminpanel.php");
     }
     mysqli_close($conn);
}
else if($UserType=="Police")
{
     mysqli_select_db($conn,"prison") or die("Cannot connect to database");
     $sql = "select * from pol where name='".$name."' and 
          password='".$password."'";
     $result = mysqli_query($conn,$sql);
     $records = mysqli_num_rows($result);
     $row = mysqli_fetch_array($result);
     if ($records==0)
     {
          echo $records;
          echo '<script type="text/javascript">alert("Wrong UserName or Password");
               window.location=\'login2.php\';</script>';
     } 
     else 
     {
          $_SESSION['ID']=$row['Station_Id'];
          $_SESSION['Name']=$row['Station_Name'];
          header("location: officerpanel.php");
     }
     mysqli_close($conn);
}
?>

This is the login code...the admin login works fine...but the police login always gives wrong username or password error even if it is correct!!! I have inserted a new user to the 'pol' table using stored procedure....The user gets added to the table but I am not able to login with that username and password..please help!!

FirstOne
  • 6,033
  • 7
  • 26
  • 45
Skanda Bharadwaj
  • 11
  • 2
  • You're open to [SQL Injections](http://bobby-tables.com/). Please, use prepared statements with parameterized queries. Check [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – FirstOne Nov 25 '17 at 13:49
  • Nothing obviously broken in your code. I'm assuming this is just a school / hobby project as that code is very insecure. Never store passwords in your database like that, they should be hashed and salted and like @FirstOne has pointed out you should prepare your statements to avoid SQL injection. – Caedmon Nov 25 '17 at 15:05
  • Yes..It is for a school project @Caedmon – Skanda Bharadwaj Nov 25 '17 at 15:59
  • Well @SkandaBharadwaj you'd probably get some extra credit if you hashed the passwords and used something like this to check it: `select * from pol where name='".$name."' and password=SHA1('".$password."')` It's still not best practice as the passwords aren't salted and SHA1 isnt' the strongest hash about. Still, much better than plain text passwords :-) – Caedmon Nov 26 '17 at 17:09

0 Answers0