Timo Timo - 6 months ago 14
MySQL Question

PHP form accepts login with blank fields

I have a contact form where you have to register with your name, e-mail etc. After succesfull entering those infos, you get a mail with a generated password. Then you can got to a login screen, where you have to enter your e-mail and the password that you got via mail. Is mail and password correct it displays a link where you can download a brochure.

So far so good, when i enter false infos, i can’t login. But when i enter nothing at all, the download link will still appear.

<form method="POST" action="broschuere_download.php">
<label> E-Mail </label>
<input type="text" <?php echo "name='email' value='$email' "?>/>

<label> Passwort </label>
<input type="text" <?php echo "name='password' value='$password' "?>/>

<input class="button" type="submit" <?php echo "name='submit' value='Zur Broschüre' "?> style="margin-left: 140px; width: 276px;"/>
</form>

<?php
// MySQL
$dbhost = "host";
$dbuser = "user";
$dbpass = "pass";
$dbname = "name";
$email = $_POST["email"];
$password = $_POST["password"];

$verbindung = mysql_connect($dbhost,
$dbuser,$dbpass);

mysql_select_db($dbname)
or die ("Die Datenbank existiert nicht.");

$abfrage = "SELECT email, password FROM besco_passwords";

$ergebnis = mysql_query($abfrage);

while($row = mysql_fetch_object($ergebnis)){
if ($email === "$row->email" && $password === "$row->password"){
print "<h1 style='margin-bottom: 0px;'> Vielen Dank für Ihr Interesse! <br> Bitte klicken Sie hier zum Download der Broschüre! </h1><br> ";
print "Download: Rechtsklick -> 'Ziel speichern unter'<br /><br />";
print "<a href='http://www.test.de' target='_blank'> Broschüre </a>";
}
else{
print "";
}
}//endwhile

?>


I am not that good at php, but i allready looked up my problem and tried to fix it myself. i also found some similar scripts but they didn’t work for me.

(added fake login details and link for stackoverflow)

hgh hgh
Answer

Check your input inputs like this :

$error=false;

if(isset($_POST['email']) && !empty($_POST['email'])) {
    $email = $_POST["email"];
} else {
    $error=true;
}

if(isset($_POST['password']) && !empty($_POST['password'])) {
    $email = $_POST["email"];
} else {
    $error=true;
}

if(!$error) {
    $verbindung = mysql_connect($dbhost,
    $dbuser,$dbpass);

    mysql_select_db($dbname)
    or die ("Die Datenbank existiert nicht.");

    $abfrage = "SELECT email, password FROM besco_passwords";

    $ergebnis = mysql_query($abfrage);

    while($row = mysql_fetch_object($ergebnis)){
        if ($email === "$row->email" && $password === "$row->password"){
            print "<h1 style='margin-bottom: 0px;'> Vielen Dank für Ihr Interesse! <br> Bitte klicken Sie hier zum Download der Broschüre! </h1><br>  ";            
            print "Download: Rechtsklick -> 'Ziel speichern unter'<br /><br />";
            print "<a href='http://www.test.de' target='_blank'> Broschüre </a>"; 
        }  
        else{
            print "";
        }
    }//endwhile
} else {
    echo "You should fill all the fields.";
}