What's wrong with my login system?

Question

I'm trying to make a login system in PHP but it isn't working as intended. The code is supposed to generate a random integer and assaign it to a cookie named "token", then it uploads the value of the cookie to a database. If there is no token, it redirects the user to a 404 page, or if the token isn't equal to the token in the database it also redirects the user to a 404 page. But when I login, instead of setting the token in the database to the cookie's value, it sets it to 2147483647. How can I make the PHP code set the token in the database to the cookie's value?

Code:

admin.php:

include_once "connect.php";
if (!empty($_POST['user']) && !empty($_POST['pass'])) {
$user = $_POST['user'];
$pass = $_POST['pass'];
$_user = mysqli_escape_string($conn, $user);
$_pass = mysqli_escape_string($conn, $pass);
$query = "SELECT * FROM supa WHERE user='$_user' AND pass='$_pass'";
$result = mysqli_query($conn, $query);
if (mysqli_fetch_assoc($result) > 0) {
  setcookie("token", random_int(111, 8942));
  $ok = $_COOKIE['token'];
  $conn->query("INSERT INTO token (token) VALUES ('$ok')");
  echo "<script>location.href = \"panel.php\"</script>";
} else {
  echo "Wrong Cridentials";
}
}

panel.php:

include_once 'connect.php';
if (!empty($_COOKIE['token'])) {
  $token = $_COOKIE['token'];
  $query = "SELECT * FROM token WHERE token='$token'";
  $result = mysqli_query($conn, $query);
  if (mysqli_fetch_assoc($result) > 0) {

  } else {
    echo "<script>location.href = \"/\";</script>";
  }
} else {
  echo "<script>location.href = \"/\";</script>";
}

two things first: _do not_ manipulate passwords. __do never ever__ store passwords plain into your db. ok, three: use prepared staments. — Jeff, Apr 01 '18 at 21:41
also I'd recomment to not only use a random int, but a random string with lower/uppercase letters and digits. — Jeff, Apr 01 '18 at 21:45
forth: use [header("location...")](http://php.net/manual/en/function.header.php) instead of a js-redirect. Now you'll have a short blinking screen... — Jeff, Apr 01 '18 at 21:47
setcookie does not change $_COOKIE. It only sends a response header. ["Once the cookies have been set, they can be accessed on the next page load with the $_COOKIE array."](http://php.net/manual/en/function.setcookie.php) — Peter, Apr 01 '18 at 21:54
@Peter absolutely true. I thought the same, but it doesn't explain the '2147483647' - which - I think - will be stored at the second attempt... — Jeff, Apr 01 '18 at 21:57
Do you really want to have people logged in with a cookie? It means they will never have to login again, their brrowser will always be logged in automatically. If you only want to have the login be valid for one session, like most websites, use $_SESSION. If you do want a permanent login with a cookie, you should at least test if the token you create is not already present in the database or you will get an error. — Roemer, Apr 01 '18 at 21:57
Jeff why would I need to use prepared statements when i'm already using mysqli_escape_string()? — Jose, Apr 01 '18 at 21:58
because it's more secure. Just get used to it. Just use them always. It saves so much hassle... And you don't need to mysqli_escape_strings then. — Jeff, Apr 01 '18 at 22:00
The `mysql` tag would have definitely helped in adding that, since there would have most likely people respond with the correct answer (note: some probably don't follow the php tag, but only mysql) as to why your query failed. Only one did though. — Funk Forty Niner, Apr 01 '18 at 22:36

score 1 · Accepted Answer · edited Apr 01 '18 at 22:34

1

It seems that you have a type problem in your database. 2147483647 is the highest number of a 32 bits integer.

I guess you have to change your type in your database from int to varchar or something.

edited Apr 01 '18 at 22:34

Funk Forty Niner

74,450
15
68
141

answered Apr 01 '18 at 21:42

Ayoub Bargach

326
1
9

good catch. but wouldn't it be better to change the size of the int in db? – Jeff Apr 01 '18 at 21:44
Actually, the problem is that he want to update a string value : VALUES ('$ok') – Ayoub Bargach Apr 01 '18 at 21:45
should be converted by mysql – Jeff Apr 01 '18 at 21:46
Oh wait, setcookie("token", random_int(111, 8942)); It was a while I did not do PHP. VALUES ( $ok ) solve the problem no ? – Ayoub Bargach Apr 01 '18 at 21:47
1

*"from int to varchar or something"* - The "something" would have been [BIGINT](https://dev.mysql.com/doc/refman/5.5/en/integer-types.html). – Funk Forty Niner Apr 01 '18 at 22:38

score -1 · Answer 2 · answered Apr 01 '18 at 22:03

-1

Try this:

$token = random_int(111, 8942) ;
setcookie("token", $token);
$conn->query("INSERT INTO token (token) VALUES ($token)");
$url = 'panel.php' ; // preferrably: absolute path.
header("Location: $url");
exit;

Next: see the very important tips in the remarks under your question.

answered Apr 01 '18 at 22:03

Roemer

1,124
8
23

Problem solved! Thank you! But how did this fix the problem? – Jose Apr 01 '18 at 22:06
See the remark of Peter under your question. Also see the other remarks there; about not storing passwords uncoded in databases. But more: you use a very small set of random numbers. You will end up with a database with all those numbers and everybody will be able to login whenever they just set a cookie im their browser with a number between 111 and 8942. It is all highly unsecure. Probably better use $_SESSION['login']=true or use very eleborate random strings for your cookies. – Roemer Apr 01 '18 at 22:14

What's wrong with my login system?

2 Answers2