Login form - PHP


#1

Currently creating a login form with php, I am currently trying to get it so once correct details are in it redirects them to home. I can’t seem to find why it’s not working though, perhaps I am missing something?

<?php
$con = mysqli_connect('localhost', 'host', 'pass', 'host')
or die("can't connect");
	
   session_start();
   
   if(isset($_POST['login'])) {
      // username and password sent from form 
      
	  $email = $_POST['email'];
	  $password = $_POST['password'];
	   
      $email = mysqli_real_escape_string($con, $email);
      $password = mysqli_real_escape_string($con, $password); 
      
      $query = "SELECT * FROM accounts WHERE email = '$email' and password = '$password'";
 	  $select_user_query = mysqli_query($con, $query);
	  if(!$select_user_query) {
		  die("QUERY FAILED". mysqli_error($con));
	  }
	   
	   
	  while($row = mysqli_fetch_array($select_user_query)) {
		  
		  $user_email = $row['email'];
		  $user_password = $row['password'];
		  $user_fname = $row['fname'];
		  $user_lname = $row['lname'];
		  $user_dob = $row['dob'];
	  }
	   
if($email == $user_email && $password == $user_password) {
	header("Location: ../index.php");
}
      else if ($email !== $user_email && $password !== $user_password) {  
    header("Location: ../login.php");
	  }
}
?>

#2

There are many issues with your code. First I would highly recommend you use PDO. Here is a tutorial to get you going.

Your code depends on the name of a button to be subbmited in order to work. This will completely fail in certain cases. You need to check the REQUEST METHOD.

Do not create variables for nothing. you have almost twice as much code as you need for the task at hand.

NEVER EVER put variables in your query. You need to use Prepared Statements.

Do not output internal system errors to the user. That info is only good to hackers and useless to the user.

You need to kill the script after header redirects otherwise the script will continue to run

The last two checks are a redundant logic opposite. Both are not needed therefore an elseif is not needed.


#3

Avoid tutorials not written within the last ~ 3 years.

if the tutorial doesn’t have a date, look at the dates on the most recent comments made by knowledgeable people. If there are no comments either, find a more recent tutorial.

Google “php login tutorial” and limit results to the last year

I found this one using prepared statements and mysqli https://www.tutorialrepublic.com/php-tutorial/php-mysql-login-system.php
and a blog post vouching for this older one that uses prepared statements and PDO http://thisinterestsme.com/php-user-registration-form/


#4

@thinsoldier, I am officially UN-vouching both those tutorials. They both have serious issues (As well as many smaller issues). Do not use either one of them. The only thing you could use them for is a “How Not To Write a Login System”.


#5

I’d go as far as saying do not write a login system if you do not absolutely have to. A lot of authentication systems to choose from today, even 3rd party services you can easily integrate. Or even roll with whatever is shipped with any major framework. Very likely to be better than what is hacked together on your own anyway