0

I'm creating a login script with PHP and the Jquery form plugin to process the login form. It uses this plugin to process the values to the PHP script checking the cridentials. The the PHP echoes "true" or "false" and Jquery handles the error messages or redirection to the dashboard. Here is my Jquery:

<script> 
$(document).ready(function() { 
// bind 'myForm' and provide a simple callback function 
$('#loginform').ajaxForm(function(html) { 
    success:{
        if(html == 'true'){
            window.location = "dashboard.php";
        } else if (html == 'false') {
            $(".errormsg").show();
            $(".errormsg").css({
                background: "#fc4452", 
                border: "1px solid #ff0000", 
            });                        
            $('.errormsg').html('E-mail adres of wachtwoord onjuist');
        } else {
            $(".errormsg").show();
            $(".errormsg").css({
                background: "#fc4452", 
                border: "1px solid #ff0000", 
            });                        
            $(".errormsg").html('Er ging iets mis bij het inloggen');
        }
    }
}); 
});

here is my current php script that searches the db:

include("../includes/mysql_connect.php");
$email = $_POST['email'];
$password = $_POST['password'];
$password = hash('sha256', $password);

 // Initialize a session:
$query_check_credentials = "SELECT * FROM Users WHERE (email='$email' AND    password='$password')";
$result_check_credentials = mysqli_query($dbc,      $query_check_credentials);
if(!$result_check_credentials){ //If the Query Fails
 echo 'Query Failed ';
 }

if(mysqli_num_rows($result_check_credentials) == 1) //if Query is successfull
 { // A match was made.
    session_start();
    $row = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);
    $_SESSION['email'] = $row['email'];
    echo "true";
  }else{
     echo"false";  
  }

As you can see it echoes true or false, which is read by the html function in the ajax script and then displays a message or does a redirect.

The problem is, it is not doing that at the moment. It is always displaying the error message in the "else" statement. Which reads: "something went wrong", even when the correct credentials are entered.

I've tested my PHP without the jquery and I know for fact that it returns "true" or "false" based on the credentials. Nothing more, no whitespace or other stuff.

To troubleshoot, I also wrote the simple piece of PHP code below, which does the same thing as the PHP above, but is not using a database. The strange thing is, when I use the PHP below...my jQuery is working fine, it shows a message when the password or username is wrong, and it shows the corresponding messages with passwords "1" and "123".

Is this because of the mysql query or am I missing something else? Thanks in advance!

PHP test script

$email = $_POST['email'];
$password = $_POST['password'];
    if($email=="john@doe.com" && $password == "123"){ 
      session_start();
      $_SESSION['email'] = $email;
      echo "true";
    } else {
      echo "false";
    }
idejong
  • 101
  • 1
  • 14
  • Please do NEVER use this code, it's doing everything wrong regarding login, password hashing, database request etc. ! You'll be hacking in under one second with this! – Sliq Jul 08 '15 at 23:37
  • This question is about the jQuery, nothing gets hacked I will be adding another security layer by using salts and bCrypt later on. It's just for test purposes – idejong Jul 08 '15 at 23:40
  • Have you looked at your browser console to see what is returned? Could be returning more than just 'true' or 'false' (including just whitespaces) which could cause it to fail to the else block – Sean Jul 08 '15 at 23:52
  • @Sean yes I've checked the console for errors etc. But it is completely empty. I don't understand why it does work correctly without using a database. Another strange thing is when I leave the credentials in the fields and refresh the page, it does log me in correctly. – idejong Jul 08 '15 at 23:56
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jan 22 '16 at 14:07
  • Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 22 '16 at 14:07
  • You really shouldn't use your own salts on password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 22 '16 at 14:07
  • I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Jan 22 '16 at 14:08

1 Answers1

0

I found the problem, In my first PHP file i'm including the file "mysql_connect.php" after a closer inspection, this was causing extra content on the PHP response. I solved it by stripping this from my "mysql_connect" file.

idejong
  • 101
  • 1
  • 14