ponyboy ponyboy - 3 months ago 10
PHP Question

login page allows any password to log in php

i have a problem with my code when i add this

Login.php

<?PHP session_start();
$_SESSION['email'] = $_POST['email'];

?>
<?php echo '<script>window.location = "http://somepage.com/"</script>'; ?>


my login page allows any password to log in, it displays the correct email address in my home page. but when i delete the code above and type any password it will not let me log in i have to use the correct password. why would this happen? i really need the code above to work because that allows me to log in to restricted pages this is what i use in restricted pages like profile.php

resctricted pages like profile.php

<?PHP
session_start();
if(!$_SESSION['email']){
header("Location: login");
die;
}
?>




<?PHP session_start();
$_SESSION['email'] = $_POST['email']; ?>

<?php echo '<script>window.location = "http://torcdesign.com/"</script>'; ?>

<?php
require_once("configur.php");
$mysqli = new mysqli(localhost, root, password, dbname);
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}

$email=$_POST['email'];


$encrypt_password = $_POST['encrypt_password'];
$encrypt_password = hash("sha512",$encrypt_password);

$sql = "SELECT * from register_login WHERE email='$email' and encrypt_password='$encrypt_password'";
$result = $mysqli->query($sql);
if (!$result->num_rows == 1) {
echo "<p>Invalid username/password combination</p>";
} else {
echo "<p>Logged in successfully</p>";
// do stuffs
}

?>




Answer

Dont set the session before you check the condition

<?PHP session_start(); ?>

<?php echo '<script>window.location = "http://torcdesign.com/"</script>'; ?>

<?php 
    require_once("configur.php");
    $mysqli = new mysqli(localhost, root, password, dbname);
    # check connection
    if ($mysqli->connect_errno) {
        echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
        exit();
    }

$email=$_POST['email']; 


$encrypt_password = $_POST['encrypt_password']; 
$encrypt_password = hash("sha512",$encrypt_password);

    $sql = "SELECT * from register_login WHERE  email='$email' and encrypt_password='$encrypt_password'";
    $result = $mysqli->query($sql);
    if (!$result->num_rows == 1) {
        echo "<p>Invalid username/password combination</p>";
    } else {
        $_SESSION['email'] = $email;
        echo "<p>Logged in successfully</p>";
        // do stuffs
    }

?>
Comments