0

I am developing a REST web API to communicate with the server. In the function below, I am getting the user's login credentials and return the responses after validation.

The problem is whenever, I login with the correct credentials, it is showing the message 'Invalid Login credentials'.

I am pretty sure that, the values are not checking the conditions or the conditions (I check the email and password fields are not empty and validate the email by FILTER_VALIDATE_EMAIL are wrong.

private function login(){

    if($this->get_request_method() != "GET"){
        $this->response('',406);
    }

    $email = $this->_request['email'];      
    $password = $this->_request['pwd'];         

    if(!empty($email) && !empty($password)){   
        if(filter_var($email, FILTER_VALIDATE_EMAIL)){

            $sql = mysql_query("SELECT id FROM user_login WHERE user_email = '$email' 
                   AND user_password = '".md5($password)."' LIMIT 1", $this->db);

            if(mysql_num_rows($sql) > 0){

                $result = mysql_fetch_array($sql,MYSQL_ASSOC);

                # If success everythig is good send header as "OK" and user details
                $this->response($this->json($result), 200);

            }
            else {
                $message = array('is_data' => 0, 
                                 "message" => "Invalid Login details");
                $this->response($this->json($message), 400);
            }
        }
    }
    # If invalid inputs "Bad Request" status message and reason
    $message = array('code' => "RES3001", 
                     "message" => "Please check the parameters you sent");
    $this->response($this->json($message), 400);
}

It would be very helpful if someone can help me to overcome this issue.

Don't Panic
  • 41,125
  • 10
  • 61
  • 80
BigB
  • 79
  • 1
  • 9
  • 1
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Aug 05 '15 at 18:27
  • You really shouldn't use MD5 password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. – Jay Blanchard Aug 05 '15 at 18:28
  • 2
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Aug 05 '15 at 18:28
  • Thanks for the useful links and advice. I will try to follow those. – BigB Aug 05 '15 at 18:31
  • I think you should see if when you store the password in the db (when register), you hash it with md5 or not. And also, if this function is part of a class, then the "action" attribute of the login form, should be filled in with "FileNameOfTheClass.php" – Dan Costinel Aug 05 '15 at 18:43
  • Thanks for all the useful comments. I made a mistake in the query which directs to different column. It works fine now. – BigB Aug 05 '15 at 19:25

0 Answers0