Verifying email and password input from a mysql database via php

Question

I have been trying my best at the review and pursue section for chapter 15 of Larry Ullman's PHP and MySQL book 4th edition, login_ajax.php, where it said:

Modify login_ajax.php so that it uses a database to confirm successful login.

This is what I've tried so far, whatever I do, the response I get seems to always be "INCORRECT" and then the ajax script never logs me in.

My code so far:

<?php

if (isset($_GET['email'], $_GET['password'])){

$email = $_GET['email'];
$password = $_GET['password'];

// Need a valid email address:
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {

    // must match specific values:
    // This values will be gotten from a database

    require('../mysqli_connect.php');

    // retrieve from database

    $q = "SELECT email, pass FROM users WHERE email = '$email'LIMIT 1";

    // run the query
    $r = @mysqli_query($dbc, $q);


    //$check_email = "";
    //$check_pass = "";

    /*while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC)) {

        $check_email = $row['email'];
        $check_pass = $row['pass'];

    }*/   // if the email and password match those in database

    //if (($email == $check_email && $password == $check_pass)) {
    if (mysqli_num_rows($r) > 0) {

        echo 'CORRECT';


    } else {

        echo 'INCORRECT';
    }



    mysqli_close($dbc);


    /*    if(($_GET['email'] == 'email@example.com') && ($_GET['password'] == 'testpass')){

            //Set a cookie, if you want, or start a session.
            // indicate  success:
            echo 'CORRECT';

        }else{// mismatch

            echo'INCORRECT';
        }*/
}else{ // invalid email

    echo 'INVALID_EMAIL';
}

}else{ // missing one of the two variables

echo 'INCOMPLETE';

}

It contains my different tries.

Answer 1

First of all, I would never use GET to commit a password for security reason. To check, if a password is correct, I would suggest to use the php function password_hash() and password_verify() to store the passwords not in plain text.

But to answer your origin question: To see the errors of your query, simply remove the "@" sign in front of your query. I would also add a space before the "LIMIT" statement.

If it still doesn't work correctly, try to get the mysqli error and post it.

Good luck :)

Answer 2

you only check email but you also check your password field

if email is correct so user will login with wrong password

try this query

$q = "SELECT email, pass FROM users WHERE email = '$email' and password = '$password' LIMIT 1";

and space between $email and LIMIT

or

remove @ from mysqli_query so its give error for better understaning

Answer 3

You didn't show the HTML, but I will try to answer with what you gave me.

1. Add a space between '$email' and LIMIT

2. Make sure you have data in the database.

3. Double check the HTML where you set the name attribute in the form and be sure it matches the $_GET[] name.