Even after entering my email and password into the database, the login page keeps telling me they don't match. What do I need to do?

Beginners - Learning PHP
#1

I am making a e book website. after making a register and muti user login page, it shoud be directed to userhome page or adminhome page but instead it keeps telling me that my email and password dont match. I have connected it to database where entries are there. How can i solve it?

This is my login page.

<?php

@include 'config.php';


if(isset($_POST['submit'])){

   $email = mysqli_real_escape_string($conn, $_POST['email']);
   $pass =  md5($_POST['password']);

   $select_users = mysqli_query($conn, "SELECT * FROM `users` WHERE email = '$email' AND password = '$pass'") or die('query failed');

   if(mysqli_num_rows($select_users) > 0){

      $row = mysqli_fetch_array($select_users);

      if($row['user_type'] == 'admin'){

         $_SESSION['admin_name'] = $row['name'];
         $_SESSION['admin_email'] = $row['email'];
         $_SESSION['admin_id'] = $row['id'];
         header('location:admin_page.php');

      }elseif($row['user_type'] == 'user'){

         $_SESSION['user_name'] = $row['name'];
         $_SESSION['user_email'] = $row['email'];
         $_SESSION['user_id'] = $row['id'];
         header('location:home.php');

      }

   }else{
      $message[] = 'email and password dont match ';
   }

}

?>

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="UTF-8">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>login</title>

   <!-- font awesome cdn link  -->
   <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0/css/all.min.css">

   <!-- custom css file link  -->
   <link rel="stylesheet" href="style.css">

</head>
<body>

<?php
if(isset($message)){
   foreach($message as $message){
      echo '
      <div class="message">
         <span>'.$message.'</span>
         <i class="fas fa-times" onclick="this.parentElement.remove();"></i>
      </div>
      ';
   }
}
?>
   
<div class="form-container">

   <form action="" method="post">
      <h3>login now</h3>
      <input type="email" name="email" placeholder="enter your email" required class="box">
      <input type="password" name="password" placeholder="enter your password" required class="box">
      <input type="submit" name="submit" value="login now" class="btn">
      <p>don't have an account? <a href="register.php">register now</a></p>
   </form>

</div>

</body>
</html>
#2

Don’t bother using mysqli_num_rows. It only works for buffered result sets or if you have already fetched all the rows from an unbuffered result set and php has recently changed the default buffered/unbuffered setting. Instead, just fetch the row and test the result from the fetch statement. If doing that doesn’t produce the correct result, you will need to determine why the query isn’t matching a row of data.

Whatever learning resource you are using, it is filled with unnecessary coding and bad practices. Here’s a list of points for the posted code -

  1. don’t use the @ error suppressor, ever.
  2. use ‘require’ for things you code must have for it to work.
  3. don’t attempt to detect if the submit button is set, there are cases where it won’t be. Instead, detect if a post method form has been submitted.
  4. you should trim all input data before using it, mainly so that you can detect if all white-space characters where entered.
  5. validate all inputs before using them.
  6. don’t use any _escape_string() function to try to protect against sql special characters in data from breaking your sql query syntax. if you haven’t set the character set that php is using to match your database tables, when you make the database connection, which is rarely done, it is still possible for sql special characters in a database value to break the sql query syntax, which is how sql injection is accomplished. instead, use a prepared query.
  7. this would be a good time to switch to the much simpler and more modern PDO database extension.
  8. don’t use md5() for password hashing. instead, use php’s password_hash() and password_verify().
  9. build the sql query statement in a php variable. this makes debugging easier and help prevent typo mistakes.
  10. list out the columns you are SELECTing in a query.
  11. upon successful login, the only value you should store in a session variable is the user id. you should query on each page request to get any other user data.
  12. the only redirect in post method form processing should be to the exact same url of the current page to cause a get request for that page. if you want someone to be able to goto a different page, provide navigation links OR just put the login code on any page that needs it.
  13. any redirect needs an exit statement to stop php code execution.
  14. an empty action="" attribute is not valid. to cause a form to submit to the same page, leave the entire action="" attribute out of the form tag.
  15. you should repopulate the appropriate form field values with any existing data so that the user doesn’t need to keep reentering data upon any user/validation errors.
  16. any value you output in a html context should have htmlentities() applied to it to help prevent cross site scripting.
3 Likes
#3

okay i’ll look into it. Thanks for the help.

#4

Here’s an additional point - don’t use or die() for database error handling. Instead, use exceptions for errors and in most cases simply let php catch and handle any exception where php will use its error related settings to control what happens with the actual error information (database statement errors will ‘automatically’ get displayed/logged the same as php errors.)

1 Like
Sponsor our Newsletter | Privacy Policy | Terms of Service