/logic of login i know its insecure
function employeeLogin($mobile, $password, $deviceId)
{
$sql = "select * from employees where (mobile like '$mobile' or alt_mobile like '$mobile')
and password like md5('{$password}') and status = 1";
$retval = mysqli_query($this->connection, $sql);
while ($row = mysqli_fetch_assoc($retval)) {
if ($deviceId != 0 && !isset($_GET["web"])) {
return -1;
}
return json_encode($row);
}
return 0;
}
main file which handle POST from frontend:
<?php
header('Access-Control-Allow-Origin: https://myfrontend.com');
header('Access-Control-Allow-Credentials: true');
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
header("HTTP/1.1 200 OK");
exit();
}
$mobile = $_GET["mobile"] ?? '';
$password = $_GET["password"] ?? '';
$deviceId = $_GET["device_id"] ?? '';
require 'account.php';
$out = $account->employeeLogin($mobile, $password, $deviceId);
error_log("employeeLogin returned: " . var_export($out, true));
if ($out != 0 && $out!=-1) {
$userData = json_decode($out, true);
if (json_last_error() === JSON_ERROR_NONE) {
session_start();
setcookie(session_name(), session_id(), [
'expires' => time() + 3600,
'path' => '/',
'secure' => false,
'httponly' => true,
'samesite' => 'None'
]);
error_log("User data: " . var_export($userData, true));
echo "$out";
$_SESSION["id"] = $userData['id'];
exit();
} else {
error_log("JSON decode error: " . json_last_error_msg());
echo json_encode(['status' => 'error', 'message' => 'Failed to decode JSON']);
exit();
}
} else {
// Debugging: Output what $out contains when it equals 0 || -1
echo json_encode(['status' => 'error', 'message' => 'Invalid login', 'out' => $out]);
exit();
}
?>
the logic perfectly works in locahost and in server it always return out as 0 and its invalid login,but in localhost it works fine,credentials are correct
it tried tested in test enivironment it always return invalid login
New contributor
Sanjay B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.