PHP/MYSQLI login form accepts any entry?

Question

This is my first login form using PHP?MYSQLI. I'm doing a tutorial on simplest.com/siteezy.com, and am having trouble with the login process. The main issue being that the form will accept any input entered (even blank fields), and bring the person to the logged in page (account.php), whether they have registered on the site or not. The registration side of things seems to work fine. I've watched the tutorials several times, and copied the code to the letter..I'm wondering if I'm missing something here? Can't seem to find the answer here in other questions. Thanks!

<?php require 'connect.php'; ?>

<?php

if(isset($_POST['login'])){

             $emailaddress = $_POST['EmailAddress'];
             $password = $_POST['Password'];

             $result = $con->query("SELECT * FROM users WHERE EmailAddress='$emailaddress' AND Password='$password'");

             $row = $result->fetch_array(MSQLI_BOTH);

             session_start();

             $_SESSION["UserID"] = $row['UserID'];

             header('Location: account.php');

}
?>




<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Login</title>
<link rel="icon" href="favicon.ico" type="image/x-icon">
<link rel="stylesheet" href="style/style.css">


</head>
<body>

<div class="container">



<!-- LOGIN FORM -->
<h3>Login here</h3>
<form action="" method="post" name="loginform" id="loginform">
<div class="form-group"> 
<div>Email Address:</div>
<input id="emailaddress" type="email" required="required" name="emailaddress" maxlength="88" class="form-control">
</div>
<div class="form-group">  
<div>Password:</div>
<input id="password" type="password" name="password" class="form-control">
</div>

<input name="login" type="submit" class="button" value="login">

</form>

</div>

First thing that comes to mind is wrap the `session_start(); ... header('Location: account.php');` lines in a conditional statement based on email/password validation. — bloodyKnuckles, Dec 05 '15 at 15:52

C. Merabi Shmulik · Accepted Answer · 2015-12-05T16:22:25.793

0

You should check if the form elements are set. For example:

if(isset($_POST['emailaddress']) && isset($_POST['password']))

Then check that the number of rows are greater than 1:

if($result->num_rows > 1)

And if so only then you should redirect to the second page. else do nothing.

EDIT :

<?php require 'connect.php'; ?>

<?php

if(isset($_POST['emailaddress']) && isset($_POST['password'])){

             $emailaddress = $_POST['emailaddress'];
             $password = $_POST['password'];

             $result = $con->query("SELECT * FROM users WHERE EmailAddress='$emailaddress' AND Password='$password'");

             if($result->num_rows > 0) {

                 session_start();

                 $_SESSION["UserID"] = $row['UserID'];

                 header('Location: account.php');
             }

}
?>

edited Dec 05 '15 at 16:22

answered Dec 05 '15 at 15:54

C. Merabi Shmulik

272
1
2
13

Thanks for your input. I mentioned in an above comment that I'm very new to this, so still wrapping my head around the code placement..are you able to write out an example of where in my above code this would be placed?..tried it in a few places with no result. – ChrisJC2017 Dec 05 '15 at 16:13
@Hipnoetic I have edited my answer for you – C. Merabi Shmulik Dec 05 '15 at 16:23
Thank you very much!! it worked :D – ChrisJC2017 Dec 05 '15 at 16:34
@Hipnoetic if so, verify my answer and upvote. Glad it helped – C. Merabi Shmulik Dec 05 '15 at 16:40

PHP/MYSQLI login form accepts any entry?

1 Answers1