-1

I am new to programming so apologies in advance for the misuse of any terms I may have mixed up.

I'm trying to create a very simple login application using php and mysql. There are 3 files: config.php, connection.php and login.php. I am using Postman for testing my inputs and output. However, when I try to run the php script, it gives me this result (updated): Result

I am not sure what is happening, I've tried to follow a tutorial on youtube and checked if I am missing something but can't find it.. Here are my codes:

config.php:

<?php
define('hostname', 'localhost:80');
define ('username', 'root');
define ('password', 'root');
define ('dbname', 'finger');
?>

connection.php:

<?php
    require_once 'config.php';  
    class DB_connection{
        private $connect;
        function __construct(){
        $this -> connect = mysqli_connect(hostname, username, password, dbname) or die( "DB Connection error");
        }
        public function get_connection(){
        return $this-> connect;
        }
    }
?>

login.php:

<?php
require_once 'connection.php';

class User{
    private $db, $connection;
    function __construct(){
    $this->db = new DB_connection();
    $this -> connection = $this -> db -> get_connection();
    }

    public function does_user_exist($email, $password){

    $query = "Select * from users  where email  = '$email' and passwords = '$password'";
    $result = mysqli_query($this->connection, $query);
    if (mysqli_num_rows($result) > 0) {
    $json['success'] = 'Sign in success!';
    $json_encode ($json);
    mysqli_close($this ->connection);
    #return true;
    }
    else {
    $json['failure'] = 'Sign in Failure, check credentials!';
    $json_encode ($json);
    mysqli_close($this ->connection);
    #return false;
    }
    }

}

$user = new User();
if (isset ($_POST['email'], $_POST ['password'] )){
    $email = $_POST['email'];
    $password = $_POST['password'];

    if (!empty ($email) && !empty($password)){
    $encrypted_password= md5($password);
    $user -> does_user_exist($email, $encrypted_password);
    } 
    else{
    echo json_encode(" Please enter both fields! ");
    }
}

?>
Muhammad Hamza
  • 823
  • 1
  • 17
  • 42
  • 3
    **Never store plain text passwords!** Please use **[PHP's built-in functions](http://php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)**. Make sure you **[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. – John Conde Mar 19 '18 at 13:22
  • 3
    Your script is at risk of [SQL Injection Attack](//stackoverflow.com/questions/60174) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](//stackoverflow.com/questions/5741187) Use [prepared parameterized statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Mar 19 '18 at 13:23
  • 3
    Please go read up on & enable proper PHP error reporting first of all! It would have alerted you to mistakes such as `$json_encode ($json);` – CBroe Mar 19 '18 at 13:25

1 Answers1

-1

You are using wrong method to get a value of email and password.

If you want use Post method then value pass through Body. but You are passing the value of email and password in query string.

Please use $_GET instead of $_POST.

Like ..... 

$user = new User();
       if (isset ($_GET['email'], $_GET ['password'] )){
         $email = $_GET['email'];
       $password = $_GET['password'];

        if (!empty ($email) && !empty($password)){
           $encrypted_password= md5($password);
           $user -> does_user_exist($email, $encrypted_password);
        } 
    else{
    echo json_encode(" Please enter both fields! ");
    }
  }
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
rajeev
  • 115
  • 8
  • 2
    That wont solve his problem, but create a new one when he goes to actually setup a real login form that submits via POST. – IncredibleHat Mar 19 '18 at 13:51