0

I'm trying to create a login and sign up system with PHP the signup system work but checking for an existing value in the db wont work to create the login.

here is my db

+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
|Member_ID | int(11)     | NO   | PRI | None    | auto_increment |
|FirstName |char(20)     | NO   |     | None    |                |
|LastName  |char(20)     | NO   |     | None    |                |
|Email     |varchar(50)  | NO   |     | None    |                |
|User_Password |char(20) | NO   |     | None    |                |
+----------+-------------+------+-----+---------+----------------+

The following code is my sign up and it works 

<?php
require_once 'Database_conx.php';


$get_first_name = $_POST["Firstnamebox"];
$get_last_name  = $_POST["Lastnamebox" ];
$get_password   = md5($_POST["passwordbox" ]);
$get_email      = $_POST["emailaddbox" ];

$firstname = trim($get_first_name);
$lastname  = trim($get_last_name);
$passcode  = trim($get_password);
$email     = trim($get_email);

$processvalue = "Insert INTO Registration ( FirstName, LastName, User_Password,Email )
              VALUES ('$firstname' ,'$lastname', '$passcode' ,'$email'   )";


if (mysqli_query($conn, $processvalue)) {

echo 'Sucess in submiting data in db ';

} else {
   echo "error in testing :" .mysqli_error($conn);
}  

mysqli_close($conn)

 ?>

the following code is to check to see if a value exist in the db 

 <?php
    require_once 'Database_conx.php';

     if(isset($_POST['loginbtn'])){
       $db =  mysqli_select_db($conn, 'Star5_db');


    $email = $_POST["loginemailbox"];
    $password = $_POST["loginpasswordbox"];

    $e = trim($email);
    $p = trim($password);

    $pc = mysqli_query($db, "SELECT * FROM Registration WHERE Email = $e AND User_Password = $p");


  if (empty($e)){ 
      echo " oops you're missing your email";

  }

     if(empty($p)){
        echo "<br>Please type in your password </br>";
     } 

  if($pc)
  {
      echo " <br> $e. is found in the database :)</br>";
  } 
  elseif (empty ($e)) {
    echo '   ';

} 
elseif (!filter_var($e,FILTER_VALIDATE_EMAIL) === TRUE) {
    echo ("<br>$e is not a valid email<br>");
}

else
  {
      echo " <br> $e. not found in db </br>" .  mysqli_error();
  }  

  mysqli_close($pc); 

}

      }
  ?>

can any one tell me what am i doing wrong

Ikhlak S.
  • 8,578
  • 10
  • 57
  • 77
B.Daddy
  • 9
  • 1
  • 7
  • **Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Apr 04 '16 at 16:15
  • **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 04 '16 at 16:16

2 Answers2

0

You are storing a (poorly) hashed password in the database, but then you are searching for an unhashed, plain text match when the user tries to log in.

You need to hash the password the user submits and compare the result to whatever is in the database.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
0

Try this:

if ($pc==1) {
  echo " <br> $e. is found in the database :)</br>";
}
Michał Perłakowski
  • 88,409
  • 26
  • 156
  • 177
elcofla2
  • 13
  • 2