0

Hey guys I've been stuck on this problem for a while, now my code seems fine but I cant log in using the combination of 'number' and password.....if I just use 'number' alone it logs in but if I add the query....AND palavrapass="$password"; it doesn't work. Here's my code for you guys to take a look, maybe you can see something I cant :

if (count($errors)==0) {
    $password = md5($password);
    $query= " SELECT * FROM usuario WHERE numero='$numero' AND palavrapass= '$password' ";
    $result= mysqli_query($db,$query);
    if(mysqli_num_rows($result) ==1)
    {
        $_SESSION['nome'] = $nome;
        $_SESSION['ultimonome'] = $ultimonome;
        $_SESSION['numero'] = $numero;
        header('location: pindex.php');
    }
    else{
        array_push($errors, "combinação incorreta de número / senha");
    }
}
Komal12
  • 3,119
  • 4
  • 13
  • 25
Marcio Quiteque
  • 45
  • 7
  • Change your query to this and test again : `" SELECT * FROM usuario WHERE numero={$numero} AND palavrapass= {$password} "` – Hamza Abdaoui Jan 25 '18 at 10:25
  • I seem that your code is ok and you have some error in your query.When you are using with password flag too. – Aman Maurya Jan 25 '18 at 10:28
  • 1
    Code is NOT ok. OP is setting sessions from variables that arn't even set; `$nome`,`$ultimonome`,`$numero;` are all undefined and null. `$errors` is also undefined in this snippet. And don't get me started on how vulnerable this code is to MySQL injection and insecure password hashing. – IsThisJavascript Jan 25 '18 at 10:31
  • Op, try outputting the result of `$query` and run it in your sql application. Maybe you've forgot to set `$password` as the correct `$_POST` – IsThisJavascript Jan 25 '18 at 10:31
  • @IsThisJavascript that is what I was saying, there might be a change that marcio has some typo error when going with the password field in SQL query. – Aman Maurya Jan 25 '18 at 10:35
  • @HamzaAbdaoui, it didnt fix the problem but atleast i got a different error this time!...it gave me Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in – Marcio Quiteque Jan 25 '18 at 10:35
  • @IsThisJavascript cool let me try that!! and yea i knoww it vulnerable :( , – Marcio Quiteque Jan 25 '18 at 10:36
  • 3
    `mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given` means your query failed. That's because Hamza missed out the single quotes wrapped around `{$numero}` and `{$password}` – IsThisJavascript Jan 25 '18 at 10:40
  • try to debug your SQL query with the approach which @IsThisJavascript has suggested this the best way you will going to find the error. – Aman Maurya Jan 25 '18 at 10:42
  • 3
    "_it doesnt work_" is about the best error description ever. Is your password actually stored as `md5()`? – brombeer Jan 25 '18 at 10:48
  • 1
    "echo" your $query variable once it is initialized and see if you get the result even at your DBMS side. – Abhishek Jan 25 '18 at 10:48
  • 3
    **Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Jan 25 '18 at 10:49
  • 2
    @Quentin funny how you mention him using md5 hashing, while not even speaking about http://bobby-tables.com/ – Matt Smeets Jan 25 '18 at 10:50
  • You need to provide a clear problem statement and an [mcve]. What input are you passing this? What result do you get? How does that differ from what you expect? Have you ensured that [error reporting is turned up as high as possible](https://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display)? – Quentin Jan 25 '18 at 10:53
  • okay so the stranges thing happend i created an entery without the md5 on password and tried executing this on my sql application `SELECT * FROM usuario where palavrapass ='12'`.....and no rows appeared .....but its clearly in my database.........i can see it when i Select * from usario....... – Marcio Quiteque Jan 25 '18 at 10:58
  • @kerbholz yea it does – Marcio Quiteque Jan 25 '18 at 10:58
  • @Abhishek the strangest thing is i still get no rows when i can clearly see it in my db – Marcio Quiteque Jan 25 '18 at 10:59
  • @Quentin ya i know!! and thanks for the tip!!! – Marcio Quiteque Jan 25 '18 at 11:00
  • @MattSmeets lolol bobby tables – Marcio Quiteque Jan 25 '18 at 11:03
  • @MarcioQuiteque Just out of curiousity: is there are any reason you aren't using any PHP framework, like Laravel? – Bhargav Nanekalva Jan 25 '18 at 11:21
  • 1
    @BhargavNanekalva nope there isnt. ill search it up, im guessing its helpfull.... – Marcio Quiteque Jan 25 '18 at 11:36
  • 1
    @MarcioQuiteque If you don't mind telling, what kind of project are you working on? – Bhargav Nanekalva Jan 25 '18 at 13:35
  • @BhargavNanekalva sure, its a website that allows people to search up electritions, plumbers etc.. online, so that they can be contacted if needed, and these handyman's need to be registerd online, and also need to be able to log in, and im having trouble with the login, the registration is fine, its just the log in – Marcio Quiteque Jan 26 '18 at 10:44
  • @MarcioQuiteque then you can definitely use Laravel for building such an application. Do try it. – Bhargav Nanekalva Jan 26 '18 at 12:01

0 Answers0