0

I'm trying to validate an password from mysql table and then insert other data into other table if the password is correct. Couldn't really figure this out by myself so hopefully I can get help here :)

Im sure there is an easier way of doing this :D

Here is my code:

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

    <textarea name="change"></textarea>
    <input type="date" name="date">
    <input type="password" name="password">
    <label for="password">Password</label>

    <input type="submit" name="submit">

</form>

<?php 
    if (isset($_POST['submit'])) {
        $date = $_POST['date'];
        $change = $_POST['change'];
        $pwd = $_POST['password'];

        $servername = "";
            $username = "";
            $password = "";
            $dbname = "";

        $conn = new mysqli($servername, $username, $password, $dbname);
            if ($conn->connect_error) {
                die("Connection lost: " . $conn->connect_error);
            } 

            $sql = "SELECT * FROM users WHERE password = '$pwd'";
            $result = mysql_query($sql) or die(mysql_error());
            $numrows = mysql_num_rows($result);
            if($numrows > 0)
               {
                $sql = "INSERT INTO data (datechanged, changemade) VALUES ('$date', '$change')";
                if ($conn->query($sql) === TRUE) {
                    echo "New record created successfully";
                } else {
                    echo "Error: " . $sql . "<br>" . $conn->error;
                }
               }
            else
               {
                echo 'Your not in';
               }
            $conn->close();
            }
?>
iamnikke
  • 7
  • 2
  • 1
    Side note: in HTML 4 and XHTML you can replace `
    ">` with `
    ` which does the same thing, in HTML 5 you can use `
    ` so it's still valid HTML this is also valid in XHTML and HTML4.. Empty action or action with "#" cause the browser to post to the same page thats why it works
     – Raymond Nijland Aug 24 '18 at 16:11
  • 3
    Side note: I also advice you to read about SQL injection and ways to prevent it. https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Raymond Nijland Aug 24 '18 at 16:14
  • On topic: the SELECT and INSERT queries can be made into one qeury.. with this syntax `INSERT INTO date (...) SELECT (...) FROM table WHERE...` check MySQL documentation https://dev.mysql.com/doc/refman/8.0/en/insert-select.html – Raymond Nijland Aug 24 '18 at 16:16
  • 3
    you should be using `password_hash()` to hash your passwords. Do not store them in plain text. Then use `password_verify()` to check if entered password matches the hash. – Rotimi Aug 24 '18 at 16:16
  • 2
    also combining two different database API's is a bad idea, especially when one of them is insecure and obsolete. Stick to just `mysqli()` – Rotimi Aug 24 '18 at 16:17
  • 1
    "also combining two different database API's is a bad idea, especially when one of them is insecure and obsolete" it's not only a bad idea it also does not work @RotimiOlawale – Raymond Nijland Aug 24 '18 at 16:18

1 Answers1

-1

You can use PHP Sessions to keep users logged in, after they entered their password correctly once.

Other than that it doesn't get much easier than your solution. But it should get more secure!

There are three flaws with your approch:

  1. Users with the same password log into the same account. To prevent this they should also have to enter an account name or some other unique identifier.
  2. The password are stored unencrypted. You should always store password encrypted. Forturatly PHP offers easy to use functions for password encryption and validation.
  3. User input is directly inserted into your SQL. You should never use user input in your SQL directly! Anyone can delete your entire database with one "password", see SQL Injection Attack. Use MySQLi's prepared statements instead.

This might be a lot at once, but it is absolutly necessary to fix these issues, if this site is available to anyone other than you.

I hope this helps. -Minding

Minding
  • 1,267
  • 1
  • 16
  • 27