PHP id and password verification

Question

I'm trying to do a simple login, which compares the input of the ID and password by the user with the data in the database

//getting the inputs
$checkid = $_POST["id"];

$checkpassword = md5($_POST["pass"]);

//getting the id and password of the id and password of the inputs
$query = "SELECT id, password FROM login WHERE id=$checkid AND password=$checkpassword";

$res = mysqli_query($link, $query);

$nres = mysqli_num_rows($res);

//$nres should be 0 if the user inputs the right id but the wrong password
//or viceversa, the only way that it $nres!=0 is that both inputs match the db, right?
if ($nres == 0) {
    header('Location: http://localhost:8888/login/login_fail.php');
    else
    header('Location: http://localhost:8888/profile/profile.php');
    exit();

it doesn't work, even if i put the right ID and the password that are on the database it will redirect to login_fail.php. Note: it does work if i do it just with he ID and take out of the query " ,password" "AND password = $checkpassword". Help

Answer 1

Add quotes to your variables:

"SELECT id, password FROM login WHERE id='$checkid' AND password='$checkpassword'"
                                         ^        ^              ^              ^

Sidenote: Don't use md5, it's now insecure to use as password storage.

For password storage, either use bcrypt or PHP's password() function.

And see this article also

Also noted in comments by others, use mysqli_real_escape_string():

$checkid=mysqli_real_escape_string($link,$_POST['id']);

Answer 2

Try the query:

$query = "SELECT id, password FROM login WHERE id='".$checkid."' AND password='".$checkpassword."'";