-1

I'm struggling with finding why I can't log in, I created my user in the MySQL database with md5 encryption on the password and also set that correctly up in the database, here is my code. It comes up with an invalid username or password but I'm 100% sure that I have added it correctly in the MySQL

users.php, i think my problem might be in here, but i just cant find it

<?php
class User {
    protected $pdo;

    function __construct($pdo){
        $this->pdo = $pdo;
    }
    public function checkInput($var){
        $var = htmlspecialchars($var);
        $var = trim($var);
        $var = stripcslashes($var);
        return $var;
    }
    public function login($email, $password){
        $stmt = $this->pdo->prepare("SELECT 'user_id' FROM 'users' WHERE 'email' = 
    :email AND 'password' = :password");
        $stmt->bindParam(":email", $email, PDO::PARAM_STR);
        //ORIGINAL
        //OLD CODE $stmt->bindParam(":password", md5($password), PDO::PARAM_STR);
        $password = md5($_POST['password'], PDO::PARAM_STR);
        $stmt->bindParam(':password',$password);
        //END OF ORIGINAL
        $stmt->execute();

        $user = $stmt->fetch(PDO::FETCH_OBJ);
        $count = $stmt->rowCount();

        if($count > 0){
            $_SESSION['user_id'] = $user->user_id;
            header('Location: home.php');
        }else{
            return false;
        }
    }

}
?>

My login.php

<?php
if(isset($_POST['login']) && !empty($_POST['login'])){
    $email    = $_POST['email'];
    $password = $_POST['password'];

    if(!empty($email) or !empty($password)){
        $email    = $getFromU->checkInput($email);
        $password = $getFromU->checkInput($password);

        if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
            $error = "Invalid format";
        }else{
            if($getFromU->login($email, $password) === false){
                $error = "The email or password is incorrect!";
            }
        }

    }else{
        $error = "Please enter username and password";
    }
}
?>
<div class="login-div">
    <form method="post">
        <ul>
            <li>
                <input type="text" name="email" placeholder="Please enter your Email 
      here"/>
            </li>
            <li>
                <input type="password" name="password" placeholder="password"/><input
                    type="submit" name="login" value="Log in"/>
            </li>
            <li>
                <input type="checkbox" Value="Remember me">Remember me
            </li>
            <?php
            if(isset($error)){
                echo '<li class="error-li">
            <div class="span-fp-error">'.$error.'</div>
          </li> ';
            }
            ?>
        </ul>
    </form>
</div>
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
r.kuypers
  • 7
  • 6
  • We need to see your database table structure. `show create table users` – bassxzero May 16 '18 at 16:57
  • **Please do not store plain text passwords** nor hash it with weak algorithms, use the [password functions](http://php.net/manual/en/faq.passwords.php) provided by PHP. Check: [How do you use bcrypt for hashing passwords in PHP](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) – Spoody May 16 '18 at 16:57
  • 100% sure? Woops – RiggsFolly May 16 '18 at 17:01
  • It is also not necessary to embolden everything it jusy annoys those that may actually try and help you – RiggsFolly May 16 '18 at 17:03
  • Please dont __roll your own__ password hashing specially not using MD5(). PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly May 16 '18 at 17:04

1 Answers1

0

Don't enclose SQL identifiers in single quotes.

Single quotes are used around string literals. Compare

SELECT t.email FROM mytable t LIMIT 1

to 

SELECT 'email' FROM mytable t LIMIT 1
spencer7593
  • 106,611
  • 15
  • 112
  • 140