PHP User login validation using login.php included in index.php not working

Question

I have login.php including login class and login for handling. I'm including the login.php in index.php

Cant understand why validation not working, here is the code:

login.php

<?php 
include_once('Database.php');

class login extends Database{
    protected $_db;

    public $_error;
    public $_password;
    public $_email;

    public function __construct(){
        $this->_db = new Database('localhost','root','','kupon') or $this->_error = 'Could not connect to database';
    }

    public function validate($email, $password){
        $query = $this->_db->query("SELECT * FROM users WHERE email='$this->_email' AND password ='$this->_password'");
        $rows = $this->_db->numrows();

        if($rows == 1){
            $result = mysql_fetch_assoc($query);
            if ($results['email'] == $email && $results['password'] == $password);
                return true;
        } else{
            $this->_error =  '<p> User Does not exists</p>';
        }
    }

}

$login = new login();


if (isset($_POST['email']) && isset($_POST['password'])){
    $email = $_POST['email'];
    $password = $_POST['password'];

    if($login->validate($email, $password))
        echo 'your in';
}

?>
                <form action="index.php" method="post" class="form">
                    <p class="email">
                        <input type="text" name="email" /> :דואר אלקטרוני</br>
                    </p>
                    <p class="password">
                        <input type="password" name="password" /> :סיסמא</br>
                    </p>
                    <p class="submit">  
                        <input type="submit" value="היכנס" />  
                    </p>  
                </form>

And I just include it in index.php

            <?php
                include_once ('php/ooplogin.php');
            ?>

What am I missing here?

There seems to be an odd mix of an object oriented wrapper and old fashioned mysql_* calls in your code, so I can only assume you're using some kind of self-made wrapper around mysql_* or something. I'd suggest you drop that and go with the object-oriented version of mysqli or with PDO. Both provide a fully OO interface and are more up to date and featureful than the deprecated-in-all-but-name mysql_* functions. — GordonM, Aug 25 '12 at 10:22

score 1 · Accepted Answer · edited May 23 '17 at 11:49

your validating the user here:

$query = $this->_db->query("SELECT * FROM users WHERE email='$this->_email' AND password ='$this->_password'");

and you are trying to do exactly same thing here:

  if ($results['email'] == $email && $results['password'] == $password);
                return true;

Your function should looks like this:

 public function validate($email, $password){
        // you should escape $email and $password to prevent SQL injection!!!
        $query = $this->_db->query("SELECT * FROM users WHERE email='$email' AND passwoird='$password'");
        $rows = $this->_db->numrows();
        return !!$rows;
  }

And you have security issue there. Please read this article:

How can I prevent SQL injection in PHP?

And i don't know what you try acommplish here:

class login extends Database{
public function __construct(){
     $this->_db = new Database(...

if you extendending Database class why not:

class login extends Database{
  public function __construct() {
    parent::__construct('localhost','root','','kupon') or $this->_error = 'Could not connect to database';
  }
  public function foobar() {
     $query = $this->query("SELECT * FROM foo");
  }

Trying to use database class to handle connection to db and query functions. maybe I should just use built-in functions. — Shahar Galukman, Aug 25 '12 at 11:09
it's proper practice to use database class, but you are creating database class inside database class which is weird — Peter, Aug 25 '12 at 11:12

PHP User login validation using login.php included in index.php not working

1 Answers1