Hi everyone,
my problem is let say there is a user called Joe123 and his password is 1234. Normally If he inputs his username and password, he get access to his account, this part works fine on page. But lets say instead of writing Joe123, he writes joe123 and his password, he still got access to Joe123 account. Is there a way to prevent this from happening? Thanks in advance for your help. Bellow is my code.
<?php
if (isset($_POST[‘log-in’]))
{
require ‘connect_db.php’;
$username = mysqli_real_escape_string($conn, $_POST[“username”]);
$passwd = mysqli_real_escape_string($conn, $_POST[“passwd”]);
if (empty($username) || empty($passwd))
{
header(“location: …/php/login.php?error=emptyfields”);
exit();
}
else
{
$sql = “SELECT * FROM signup WHERE username = ?;”;
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt,$sql))
{
header(“location: …/php/login.php?error=sqlerror”);
exit();
}
else
{
mysqli_stmt_bind_param($stmt,“s”, $username);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if ($row = mysqli_fetch_assoc($result))
{
$passwdCheck = password_verify($passwd,$row[‘passwd’]);
if ($passwdCheck == false)
{
header(“location: …/php/login.php?error=wrongpassword”);
exit();
}
else if ($passwdCheck == true)
{
session_start();
$_SESSION[‘userId’] = $row[‘user_id’];
$_SESSION[‘username’] = $row[‘username’];
header(“location: …/php/profile.php?signup=logingood”);
exit();
}
}
else
{
header(“location: …/php/login.php?error=nouser”);
exit();
}
}
}
}
else
{
header(“location: …/php/login.php”);
exit();
}