I am trying to secure my login form using mysqli prepared statement.
I am using the following code and I'm keep getting the wrong information entered error!
here is my code:
if (isset($_POST["email"]) && isset($_POST["password"])) {
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
// Connect to the MySQL database
include "config/connect.php";
$stmt = mysqli_prepare(
$db_conx,
"SELECT email, password, storeShop
FROM storename
WHERE email = ?
AND password = ?
AND storeShop = ?"
);
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
//after validation, of course
mysqli_stmt_bind_param($stmt, "sss", $manager, $password, $stores);
mysqli_stmt_execute($stmt);
if (mysqli_affected_rows($db_conx))
{
mysqli_stmt_close($stmt);//<-- CLEAN UP AFTER YOURSELF!
//update was successful
$id = mysqli_insert_id($db_conx);
}
$existCount = mysqli_num_rows($query); // count the row nums
if ($existCount == 1) { // evaluate the count
while($row = mysqli_fetch_array($query, MYSQLI_ASSOC)){
$storeShop = $row["storeShop"];
}
$_SESSION["storeShop"] = $storeShop;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION['storeShop'] = $storeShop;
header("location: dashboard");
exit();
} else {
echo "wrong information entered";
exit();
}
}
but when I use this code, it works fine:
$sql = "SELECT * FROM storename WHERE email='$manager' AND password='$password' AND storeShop='$stores'";
$query = mysqli_query($db_conx, $sql);
could someone please tell me what I am doing wrong?
Thanks in advance.
EDIT, This still doesn't work.
if (isset($_POST["email"]) && isset($_POST["password"])) {
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
// Connect to the MySQL database
include "config/connect.php";
$stmt = mysqli_prepare(
$db_conx,
"SELECT email, password, storeShop
FROM members
WHERE email = ?
AND password = ?
AND storeShop = ?"
);
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
//after validation, of course
mysqli_stmt_bind_param($stmt, "sss", $manager, $password, $stores);
mysqli_stmt_execute($stmt);
if (mysqli_affected_rows($db_conx))
{
$existCount = mysqli_stmt_affected_rows($stmt);
mysqli_stmt_execute($stmt); // count the row nums
if ($existCount == 1) { // evaluate the count
while($row = mysqli_fetch_array($stmt, MYSQLI_ASSOC)){
$storeShop = $row["storeShop"];
}
$_SESSION["storeShop"] = $storeShop;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION['storeShop'] = $storeShop;
header("location: dashboard");
mysqli_stmt_close($stmt);
exit();
} else {
header("Location: data");
exit();
}
//<-- CLEAN UP AFTER YOURSELF!
//update was successful
}
}
SECOND EDIT:
if (isset($_POST["email"]) && isset($_POST["password"])) {
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
// Connect to the MySQL database
include "config/connect.php";
$stmt = mysqli_prepare(
$db_conx,
"SELECT email, password, storeShop
FROM members
WHERE email = ?
AND password = ?
AND storeShop = ?"
);
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
//after validation, of course
mysqli_stmt_bind_param($stmt, "sss", $manager, $password, $stores);
mysqli_stmt_execute($stmt);
if (mysqli_affected_rows($db_conx))
{
$existCount = mysqli_stmt_affected_rows($stmt); // count the row nums
if ($existCount == 1) { // evaluate the count
if (mysqli_stmt_affected_rows($stmt))
{
while($row = mysqli_fetch_array($stmt, MYSQLI_ASSOC)){
$storeShop = $row["storeShop"];
}
$_SESSION["storeShop"] = $storeShop;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION['storeShop'] = $storeShop;
header("location: dashboard");
mysqli_stmt_close($stmt);
exit();
} else {
header("Location: data");
exit();
}
}
//<-- CLEAN UP AFTER YOURSELF!
//update was successful
}
}
This works for me:
$stmt = $db_conx->prepare("SELECT email, password, storeShop
FROM storename
WHERE email = ?
AND password = ?
AND storeShop = ?");
$stmt->bind_param('sss', $manager, $password, $stores);
$stmt->execute();
$stmt->bind_result($manager, $password, $stores);
$stmt->store_result();
if($stmt->num_rows == 1) //To check if the row exists
{
while($stmt->fetch()) //fetching the contents of the row
{
$_SESSION["storeShop"] = $storeShop;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION['storeShop'] = $storeShop;
header("location: dashboard");
exit();
}
}
else {
header("Location: data");
exit();
}
$stmt->close();
0 comments:
Post a Comment