Login using prepared statement

Question

I am new in prepared statement and everytime i will login in correct input it gives me the last statement $_SESSION["message"] but why?

$user = $_POST["username"];
$pass = $_POST["password"];


$stmt = mysqli_prepare($conn, "SELECT * FROM user WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($stmt, "ss", $user, $pass);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);

if(mysqli_stmt_num_rows($stmt) > 0){
$row = mysqli_stmt_fetch($stmt);

 if($row["user_type"]=="admin"){
 $_SESSION["username"] = $user;
 $_SESSION["user_type"] = $row["user_type"];
 header("Location: adminpage.php");

 }elseif($row["user_type"]=="secretary"){
 $_SESSION["username"] = $user;
 $_SESSION["user_type"] = $row["user_type"];
 header("Location: dashboard.php");
        }
        }else{
    $_SESSION["message"] = "Invalid username or password";
   header("Location: index.php");
      mysqli_stmt_close($stmt);
    }




    mysqli_close($conn);

Note, make sure to unset message before each login attempts. — , Jan 28 '18 at 16:47
**Never store plain text passwords!** Please use **[PHP's built-in functions](http://php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)**. Make sure you **[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. — John Conde, Jan 28 '18 at 16:48
thank you sir i already put the unset but the problem now is im in action.php not in other php like dash.php? — truthlies uchiha, Jan 28 '18 at 16:50
Your passwords can easily be compromised. You need to use php `password_hash()` and `password_verify()` — Rotimi, Jan 28 '18 at 16:59

Login using prepared statement

0 Answers0