PHP Login with Unity and Mysql

Question

I have here a Login I am currently working on, just having a small issue with my PHP I think.

My php for the connection to DB:

<?php
$db_name = "mydata";
$mysql_username = "root";
$mysql_password = "";
$server_name = "localhost";
$conn = mysqli_connect($server_name, $mysql_username, $mysql_password, $db_name);
if($conn){
    echo

 "Connection Succesful";
}
else{
    echo "Connection Not Succesful";
}
?>

My php for the actual login:

<?php
require "conn.php";
$Email = $_POST["emailPost"];
$Password = $_POST["passwordPost"];

$sql = "SELECT Password FROM users WHERE Email = '".$Email."' ";
$result = mysqli_query($conn, $sql);

if(mysqli_num_rows($result)>0){
    while($row = mysqli_fetch_assoc($result)){
        if($row == $Password){
            echo "login success";
        }
        else{
            echo "Password incorrect";
        }
    }
}else{
    echo "user not found";
}

?>

and finally the Coroutine I am using in my C#

IEnumerator LoginAccount()
{
    WWWForm Form = new WWWForm();
    Form.AddField("emailPost", Email);
    Form.AddField("passwordPost", Password);

    WWW www = new WWW(LoginUrl, Form);
    yield return www;

    Debug.Log(www.text);
}

I get Password incorrect every single time. What am I missing ?

why would you loop, there should only be ONE password to match — , Dec 06 '16 at 03:02
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Dec 06 '16 at 13:37
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Dec 06 '16 at 13:37

score 0 · Answer 1 · answered Dec 06 '16 at 02:11

0

found it!

if($row[Password] == $Password)

answered Dec 06 '16 at 02:11

arjwolf

181
4
16

Uh - no. `$row['Password']` maybe. What you have here will throw a warning as it tries to evaluate a constant. – Jay Blanchard Dec 06 '16 at 13:43

sam · Answer 2 · 2016-12-07T12:55:25.763

-1

Use this code (make sure to update this $row[Password] same as the password field name)

 <?php
    require "conn.php";
    $Email = $_POST["emailPost"];
    $Password = $_POST["passwordPost"];

    $sql = "SELECT Password FROM users WHERE Email = '".$Email."' ";
    $result = mysqli_query($conn, $sql);

    if(mysqli_num_rows($result)>0)
{
        while($row = mysqli_fetch_assoc($result))
{
            if($row['Password'] == $Password)
{
                echo "login success";
}
            else
{
                echo "Password incorrect";
            }}}
else
{
        echo "user not found";
    }

    ?>

edited Dec 07 '16 at 12:55

answered Dec 06 '16 at 05:14

sam

688
1
12
35

There are some typos in this code which will cause it to fail. Have you tested it? – Jay Blanchard Dec 06 '16 at 13:41
@JayBlanchardI dont see any typo what are you referring to? – sam Dec 07 '16 at 05:25
The unquoted array identifiers. – Jay Blanchard Dec 07 '16 at 12:40

PHP Login with Unity and Mysql

2 Answers2