CODEWITHSUNDEEP
phpandroid
Himanshu Rajput
Himanshu Rajput

Reputation: 51

PHP code for checking id with their specific password

I've created a login activity and there are two edittext ids and passwords. I have a PHP code which checks the user with their id and password. If both are correct then it transfers to the other activity, but here I want a PHP code which checks the id with their specific password. If the user enters a correct id but enters an incorrect password, then it should produce an error "pls enter correct password".

Please suggest me a correct PHP code for this.

<?php

require "r_connect.php";

if($_SERVER['REQUEST_METHOD']=='POST')
{
    $rollno=$_POST['rollno'];
    $password=$_POST['password'];

    $sql = "SELECT * FROM registration_user WHERE rollno = '$rollno' AND password='$password'";

    $result = mysqli_query($connect,$sql);
    $check = mysqli_fetch_array($result);

    if(isset($check))
    {
        echo 'Success';
    }
    else
    {
        echo 'Error';
    }
}

?>

Upvotes: 1

Views: 80

Answers (4)

jirarium
jirarium

Reputation: 322

Your code could look like this :

$sql = "SELECT * FROM registration_user WHERE rollno = '$rollno'";
$result = mysqli_query($connect,$sql);
$check = mysqli_fetch_array($result);

Then you can do checks :

if(mysqli_num_rows($check) > 0)
    {
      if($check['password']===$password){
        //id and pass correct

      }else{
        // id correct , but bad password
      }
    }else
    {
        echo 'Invalid id';
    }

Upvotes: 0

Aman
Aman

Reputation: 449

When writing an authentication flow you can keep following things in mind :

  • validate your input data well
  • when interacting with Select queries use prepared statements whenever possible
  • use sha1 and md5 combinations on the password string to store in the database and comparisons.

I have tried to implement these things in the following code, of course there's always scope for improvement 

function checkRollno($conn, $rollno)
{
    $stmt = mysqli_stmt_init($conn);
    $prepareQuery = "SELECT count(*) FROM tablename WHERE rollno = ?";
    //Prepared Statements
    if( mysqli_stmt_prepare($stmt, $prepareQuery ) )
    {
        // Bind params
        mysqli_stmt_bind_param($stmt, 'i', $rollno);//i is for integer
        /* execute query */
        mysqli_stmt_execute($stmt);
        /* Fetch Result */
        $result = mysqli_stmt_get_result($stmt);
        $row = mysqli_fetch_assoc($result);
        /* close statement */
        mysqli_stmt_close($stmt);
        if( count($row) < 1 )
            return false;
        else 
            return true;
    }
    else
        return false;
}
function checkUserExists($conn, $rollno, $pass)
{
    $stmt = mysqli_stmt_init($conn);
    $prepareQuery = "SELECT count(*) FROM tablename WHERE rollno = ? AND password= ?";
    //Compare sha1 of md5 of your password (You should not store or check against exact password strings)
    $pass = sha1(md5($pass));
    //Prepared Statements
    if( mysqli_stmt_prepare($stmt, $prepareQuery ) )
    {
        // Bind params
        mysqli_stmt_bind_param($stmt, 'is', $rollno, sha1(md5($pass)));// s is for strings
        /* execute query */
        mysqli_stmt_execute($stmt);
        /* Fetch Result */
        $result = mysqli_stmt_get_result($stmt);
        $row = mysqli_fetch_assoc($result);
        /* close statement */
        mysqli_stmt_close($stmt);
        if( count($row) < 1 )
            return false;
        else 
            return true;
    }
    else
        return false;
}
//Main Block
if( $_SERVER['REQUEST_METHOD'] == 'POST' )
{
    if( isset($_POST['rollno']) && $_POST['rollno'] != '' )
        $rollno = $_POST['rollno'];
    if( isset($_POST['password']) && $_POST['password'] != '' )
        $pass = $_POST['password'];

    $res = checkRollno($conn, $rollno);
    if( $res )//rollno exists
    {
        if( checkUserExists( $conn, $rollno, $pass ) )
            die('authenticated');//Authenticated
        else
            die('denied');//Wrong password

    }
    else//rollno doesn't exist
    {
        //code to reflect wrong id does not exist
    }
}

I am sure you can use better function names :)

Prepared Statements

Upvotes: 0

Vinayak B
Vinayak B

Reputation: 4520

Try below code for PHP:

<?php

require "r_connect.php";

if($_SERVER['REQUEST_METHOD']=='POST')
{
    $rollno = $_POST['rollno'];
    $password = $_POST['password'];

    $sql = "SELECT password FROM registration_user WHERE rollno = '$rollno'";

    $result = mysqli_query($connect,$sql);
    $check = mysqli_fetch_array($result);

    if(mysqli_num_rows($check) > 0)
    {
        if($check["password"] == $password){
            echo 'Success';
        }else{
            echo 'pls enter correct password';
        }
    }
    else
    {
        echo 'Invalid id';
    }
}

?>

You can also refer this tutorial for more information

Upvotes: 1

bene-we
bene-we

Reputation: 801

Split your SQL statement into to, at first query WHERE rollno = '$rollno', if found go on and query WHERE rollno = '$rollno' AND password = '$password', if everything's correct go on, if first statement fails user is not found, if second query fails, the user is found but password is not matching, this is your desired case.

Upvotes: 0

Related Questions