I have a PHP page for checking username/password:
foreach($_REQUEST as $k=>$v){
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT password FROM authentication WHERE username='$k'";
$result = $conn->query($sql);
$sql2 = "SELECT owner FROM listofowners WHERE owner='$k'";
$result2 = $conn->query($sql2);
if ($result->num_rows > 0) {
// output data of each row
$row = mysqli_fetch_assoc($result);
if ($row["password"] == '$v') {
if ($result2->num_rows > 0) {
echo "successfulowner";
break;
} else {
echo "successfulguest";
break;
}
} elseif($row["password"] != '$v') {
echo "wrong password";
}
} else {
echo "No such email as:" .$k;
}
$conn->close();
}
?>
Despite entering the correct password, I keep getting the wrong password message.
What am I doing wrong?
You are comparing it wrong
$row["password"]!='$v'
Try like this:-
$row["password"]!= $v
you are mentioning $v string itself
And you are also not comparing username also.Follow same approach for it.
as stated in the comments, it's the single quotes around your variable '$v'
inside of a longer string enclosed by double quotes, as in your query line, the single quotes won't effect the variable from parsing, but on their own, they make it no longer a variable, but the static string $v so that condition will only pass as true if the password is literally $v
Remove single quotes from your variable $v. It's a variable not a string which is holding your value. So remove quotes from your code wherever you wrote like this '$v' in your conditional statement.
Try this:
$row["password"]!=$v
And
$row["password"]==$v
Assuming that you $_REQUEST have something like:
"username" = "name_of_the_user"
"password" = "123456"
This code can validate them:
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$stAuth = $conn->prepare("SELECT password FROM authentication WHERE username=?");
$stAuth->bind_param("s", $_REQUEST["username"]);
$stAuth->execute();
$stAuth->bind_result($password);
if ($stAuth->fetch()) {
if ($_REQUEST["password"] == $password) {
$stOwner = $conn->prepare("SELECT owner FROM listofowners WHERE owner=?");
$stOwner->bind_param("s", $_REQUEST["username"]);
$stOwner->execute();
$stOwner->bind_result($owner);
if ($stOwner->fetch()) {
echo "successfulowner";
break;
} else {
echo "successfulguest";
break;
}
$stOwner->close();
} else {
echo "wrong password";
}
} else {
echo "No such email as:" . $_REQUEST["username"];
}
$stAuth->close();
$conn->close();
Your code is vulnerable for SQL injection and my code can be better to. Take a look how SQL injection and input validation work to make a better code!!
Your original code was assuming that the $_REQUEST has the username as a key, that's not usual so a think you code has the wrong logic.