md5 matching password using mysqli_query? - php

i am currently having problem matching my md5 password in database with data entered by the user, i know that i should not use such type of password matching but i want to know why this does not work.
here is my login script
<?php
//Login Script
if (isset($_POST["user_login"]) && isset($_POST["password_login"])) {
$user_login = $_POST["user_login"];
$password_login = $_POST["password_login"];
$md5password_login = md5($password_login);
$sql = mysqli_query($conn, "SELECT id FROM users2 WHERE username='$user' AND password='$md5password_login' LIMIT 1"); // query the person
//Check for their existance
$userCount = mysqli_num_rows($sql); //Count the number of rows returned
if ($userCount == 1) {
while($row = mysqli_fetch_array($sql,MYSQLI_ASSOC)) {
$rahul = $row["id"];
}
$_SESSION["id"] = $rahul;
$_SESSION["user_login"] = $user_login;
$_SESSION["password_login"] = $password_login;
exit("<meta http-equiv=\"refresh\" content=\"0\">");
} else {
echo 'That information is incorrect, try again';
exit();
}
}
?>
Whenever i enter the correct details, it throws your information is incorrect, earlier it used to work in mysql_query but now it's deprecated.

Incorrect pass in a user & pass in here :
$sql = mysqli_query($conn, "SELECT id FROM users2 WHERE username='$user' AND password='$pass' LIMIT 1");
you should change it :
$sql = mysqli_query($conn, "SELECT id FROM users2 WHERE username='$user_login' AND password='$md5password_login' LIMIT 1");

Related

How to save date only once per day in the table

I have a login form who data are stored in a table users. I also have another table that stores the login date and time.
The table users (id, username, password)
The table user_login (id, user_id, login_date)
The code I tried:
$db = mysqli_connect('localhost', 'root', '', 'registration');
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$name = $_SESSION['username'];
$row=mysqli_fetch_array($results);
$user_id= $row['id'];
$date = date('Y-m-d');
$checkdate= "SELECT id from user_login WHERE user_id='$user_id' AND DATE(login_date)='$date'";
$check=mysqli_query($db, $checkdate)or die(mysqli_error($db));
if(mysqli_num_rows($check)==1){
$updatedate="UPDATE user_login set date= $date where id=$user_id";
mysqli_query($db,$updatedate)or die(mysqli_error($db));
}
else{
$insertdate="INSERT INTO user_login (user_id, login_date) values($user_id, $date)";
mysqli_query($db,$insertdate)or die(mysqli_error($db));
}
// $_SESSION['success'] = "You are now logged in";
header('location: profile.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
The above code just adds date and time every time I login. But I want to save the date only once per day.
Here's one idea.
You could save date into your user_login table and then you can check and compare it
Before inserting into your user login table you would then check it.
Get id of the user from $results.
And check table:
$date=date('Y-m-d');
Select id from user_login where user_id = $user_id and Date(login_date) = $date
If there is a record just update date
$cur_date=date('Y-m-d');
Update user_login set date=$cur_date where id=$user_login_id
else insert one
INSERT INTO user_login (user_id, login_date) values($user_id, $cur_date);
I hope you understand the logic.
I hope you are using mysqli_escape_string in order to prevent from sql injection.
Don't use md5 for password encryption use bcrypt or other secure encryption functions.
here is working version of your code. Don't use it in production.
$db = mysqli_connect('localhost', 'root', '', 'registration');
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$name = $_SESSION['username'];
$row = mysqli_fetch_array($results);
$user_id = $row['id'];
$date = date('Y-m-d');
$datetime = date('Y-m-d H:i:s');
$checkdate = "SELECT id from user_login WHERE user_id='$user_id' AND DATE(login_date)='$date'";
$check = mysqli_query($db, $checkdate) or die(mysqli_error($db));
if (mysqli_num_rows($check) == 1) {
$updatedate = "UPDATE user_login set login_date='$datetime' where user_id=$user_id and DATE(login_date)='$date'" ;
mysqli_query($db, $updatedate) or die(mysqli_error($db));
} else {
$insertdate = "INSERT INTO user_login (user_id, login_date) values($user_id, '$datetime')";
mysqli_query($db, $insertdate) or die(mysqli_error($db));
}
// $_SESSION['success'] = "You are now logged in";
header('location: profile.php');
die;
}else {
array_push($errors, "Wrong username/password combination");
}
}
this is just demonstration.

login page nested if php

login php with different user by classified the code using nested if method, however, it will only run the first if but not the second
$sql= mysql_query("SELECT * FROM user WHERE id= '$id' AND password= '$password'");
$sql1 = "SELECT position FROM user WHERE id ='$id' AND password = ' $password'";
if(mysql_num_rows($sql) > 0)
{
if($sql1 = "student" )
where the nested if begin
{
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('Login Succesfully!.')
window.location.href='google.com.my'
</SCRIPT>");
}
else if($sql1 = "lecturer" )**it will not run until this if **
{
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('Login Succesfully123!.')
window.location.href='www.yahoo.com'
</SCRIPT>");
}
exit();
}
else{
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('Wrong username password combination.Please re-enter.')
window.location.href='login.html'
</SCRIPT>");
exit();
}
}
?>
use
$sql1 = mysql_query("SELECT position FROM user WHERE id ='$id' AND password = ' $password'");
instead of
$sql1 = "SELECT position FROM user WHERE id ='$id' AND password = '$password'";
You have to fetch the data from table using mysql_fetch_array or mysql_fetch_assoc
And if condition should be
if($something == "student" )
not
if($something = "student" )
EDIT
Try like this..and make required changes
$sql1 = mysql_query("SELECT position FROM user WHERE id ='$id' AND password = ' $password'");
if($row = mysql_fetch_array($sql1))
{
$result = $row['position'];
}
Then
if($result == "student")
{
//do something...
}
In your second sql statement, change ' $password'"; to '$password'";
You are not comparing, but assigning value to $sql1
if($sql1 = "student" )
Change to
if($sql1 == "student" )
For password safety, use password_hash function
You never run a query to return a value to $sql1. put mysql_query around your $sql1 query and it'll return what you want. Also you're not breaking out of your query to input data, you have to do mysqli_query("SELECT * FROM user WHERE id = "' . $id . '" AND password = "' $password'");
Also you should move to mysqli_query rather than mysql_query.
MySQL vs MySQLi when using PHP

how to allow email as well as username to login into account?

for a long time i have been using username as only option to log in to my website account but most of the users forget their username so i want to add email and username both as options to login.
here is my code to create a session and log in the user.
<?php
if(isset($_POST["user_login"]) && isset($_POST["password_login"])) {
$user_login = preg_replace('#[^A-Za-z0-9#._\(\)\']#i', '', $_POST["user_login"]);
$password_login = preg_replace('#[^A-Za-z0-9!#._]#i', '', $_POST["password_login"]);
$md5password_login = md5($password_login);
$sql = mysql_query("SELECT id FROM users WHERE username='$user_login' AND password='$md5password_login' LIMIT 1");
//check for their existance
$userCount = mysql_num_rows($sql); //count the number of rows returned
if ($userCount == 1) {
while($row = mysql_fetch_array($sql)) {
$id = $row["id"];
}
$_SESSION["id"] = $id;
$_SESSION["user_login"] = $user_login;
$_SESSION["password_login"] = $password_login;
exit("<meta http-equiv=\"refresh\" content=\"0\">");
} else {
echo "Your Username or Password is Incorrect. please try again.";
exit();
}
}
?>
How can i add email with username login ?
Note : the teacher who taught me php showed me how to use mysql_query and not the latest version and i know it is being deprecated so i have already changed all my query's, this is an old code.
You can give option on your login form to select login (radio button) type as username or Email.Then change your query accordingly:
if($logintype=="Username")
{
//Current Username query
}
else
{
//Email Login query
}
or you can use both in query as:
$sql = mysql_query("SELECT id FROM users WHERE (username='$user_login' || email='$_POST[user_login]') AND password='$md5password_login' LIMIT 1");
try this.. by checking post data is email or not
$email = $_POST["user_name"];
if (preg_match("/([\w\-]+\#[\w\-]+\.[\w\-]+)/",$email))
{
// email query
}
else
{
// username query
}

MYSQL/PHP selecting

I have 2 tables :
newpw_ask
email
code
users
id
username
password
email
sid
newpw_code
I have this PHP code:
$code = $_POST['code2'];
$email = mysql_query("SELECT email FROM pw_ask WHERE code='$code'");
if ($pass == $pass2) {
if ($email) {
$pass3 = md5($pass);
mysql_query("UPDATE users SET password='$pass3' WHERE email='$email'");
mysql_query("UPDATE users SET newpw_code='' WHERE email='$email'");
mysql_query("DELETE FROM pw_ask WHERE code='$code'");
header("Location: index.php?ret=pw");
} else {
echo 'Wrong code';
}
}
Only this query got executed:
mysql_query("DELETE FROM pw_ask WHERE code='$code'");
Also when I enter the right code, it says “Wrong code”.
You need to select the email correctly :
$sql = mysql_query("SELECT email FROM pw_ask WHERE code='$code'");
$row = mysql_fetch_array($sql);
$email = $row['email'];
btw you can also update multiple fields in 1 query :
mysql_query("UPDATE users SET password='$pass3' , newpw_code='' where email='$email'");

php logs random username and passwords in?

//mysql connection
$com = mysql_connect("localhost","root","");
mysql_select_db("usersystem");
if(isset($_POST['Submit'])) {
$userName = $_POST['userName'];
$passWord = $_POST['passWord'];
$result = mysql_query("SELECT userID FROM tbl_users WHERE userName='$userName' AND passWord='$passWord' LIMIT 1");
if(mysql_num_rows($result)==1) {
//"login success";
$data = mysql_fetch_array($result,1);
$_SESSION['userID'] = $data['userID'];
header("location: dashboard.php");
}
else {
//login failed
$error = "login failed";
}
I have set up a database in phpMyAdmin, and I have 2 users in my database. However, when I launch my site, I type in the username and password for both user's and it works! But, if I type in random words for both username and passwords it still logs in, I'm very confused. Please help me.
if(mysql_num_rows($query)==1){
//"login success";
$data=mysql_fetch_array($query,0);
$_SESSION['userID']=$data['userID'];
header("location:dashboard.php");
}
change the zero to 1 and also dont use mysql_ is deprecated use mysqli or PDO
$query=mysql_query("SELECT userID FROM tbl_users WHERE userName='$userName' AND passWord='$passWord' limit 1 ", $com);
and change this.
You are better off with
if(mysql_num_rows($query)) {
..
docs :
The number of rows in a result set on success or FALSE on failure.
$query is an empty variable.
Go for
$result = mysql_query("SELECT userID FROM tbl_users WHERE userName='$userName' AND passWord='$passWord' LIMIT 1");
if(mysql_num_rows($result))
{
//"login success";
$data = mysql_fetch_array($result,0);
...

Categories