-1

Can't login with ajax returns the login page as success.

This is the ajax code.

<script>
  $(document).ready(function(){
    $('#signIn').click(function() {
      var user = $('#user').val();
      var pass = $('#password').val();
      if(user == '' || pass ==''){
        alert("Please Fill All Fields");
      }else{
        $.ajax({
          type: "POST",
          url: "functions.php",
          data: {user: user, pass: pass},
          cache: false,
          success: function(result){

          //This returns the login page itself.

           console.log(result);
         }
        });
      }
      return false;
    });
  });
</script>

Php file for login

<?php

    include_once "../private/classes/login.class.php";

    $userLogin = new Login($user,$pass);
   if($_SERVER['REQUEST_METHOD']=='POST'){
    $user = $_POST['user'];
    $pass =$_POST['pass'];
    $userLogin->signIn();
   }    
?>

Php Class

<?php
    include_once "db.class.php";

    class Login extends Dbh{

        public $user;
        public $pass;

        public function __construct($user, $pass){
            $user = $this->user;
            $pass = $this->pass;
        }

        public function signIn(){
            $sql = "SELECT username, email, password, role FROM admin Where (email = '$user' OR username = '$user') 
                    UNION 
                    SELECT username, email, password, role FROM employee Where (email = '$user' OR username = '$user' ) 
                    UNION 
                    SELECT username, email, password, role FROM customer Where (email = '$user' OR username = '$user')";

            $result = $this->connect()->query($sql);
            $numRows = $result->num_rows;
            if($numRows > 0){
                $row = $result->fetch_object();
                $db_pass = $row->password;
                $role = $row->role;

                // I entered password manually using phpmyadmin so it not hashed. This is used
                //to hash the db password for checking purpose.

                $hashed_password = password_hash($db_pass, PASSWORD_DEFAULT);

                if(password_verify($pass,$hashed_password)){
                    return true;
                }else{
                    header('location:login.php');
                }
            }else{
                header('location:login.php');
            }
        }
    }
?>

Normal login works fine but can't use ajax login. Tried different possible solutions from stackoverflow and other sites, But didn't work. I think ajax is not sending any request to functions.php.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Vikram Khan
  • 15
  • 2
  • Have you tried putting the actual user and password values in the data: line to check the Ajax call is firing? – fraggley May 10 '20 at 00:28
  • Put the submit button outside of the
    tag so the $('signin').click call is handled instead of submitted by the native Form action to submit. There should only be one way to login afterall, right? If you are trying to enforce AJAX to handl . e it, put that button outside of the
    tag. Example button:
    – Chris Medina May 10 '20 at 00:31
  • You're hashing the password when trying to login, which is not the way to do this. You should hash during registration and verify during login. I am glad that you know you have a possible SQL injection problem, please fix it before going to production. – Jay Blanchard May 10 '20 at 00:48
  • [How to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/11610605). – danblack May 10 '20 at 01:04

1 Answers1

0

You are calling the constructor $userLogin = new Login($user,$pass); before you have initialized $user and $pass. It will give fatal error. Change it like this 

    include_once "../private/classes/login.class.php";


   if($_SERVER['REQUEST_METHOD']=='POST'){
    $user = $_POST['user'];
    $pass =$_POST['pass'];
    $userLogin = new Login($user,$pass);
    $userLogin->signIn();
   }    
?>
Muhammad Saquib Shaikh
  • 296
  • 2
  • 13