<?php
if (isset($_POST['submit'])) {

    session_start();

    include('connection.php');

    $email = mysqli_real_escape_string($conn, $_POST['email']);
    $password = mysqli_real_escape_string($conn, $_POST['password']);

    $hash_password = md5($password);

    $sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hash_password' ";

    $result = mysqli_query($conn, $sql);

    $row = mysqli_fetch_array($result);

    if ($row['email'] == $email && $row['password'] == $hash_password)  {
        echo '<script type="text/javascript">';
        echo 'setTimeout(function () { sweetAlert("<b>Logged In"," You have successfully loged in.</b>","success");';
        echo '}, 500);</script>';
    } else {
        echo '<script type="text/javascript">';
        echo 'setTimeout(function () { sweetAlert("<b>Oops...","Wrong username or Password!...</b>","error");';
        echo '}, 500);</script>';
    }
}

?>

//database

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET AUTOCOMMIT = 0;
START TRANSACTION;
SET time_zone = "+00:00";

/!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT /;
/!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS /;
/!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION /;
/!40101 SET NAMES utf8mb4 /;

--
-- Database: cclv
--
-- Table structure for table users

CREATE TABLE users (
id int(11) NOT NULL,
idnum varchar(11) NOT NULL,
username varchar(50) NOT NULL,
year_course varchar(50) NOT NULL,
mobile varchar(13) NOT NULL,
department varchar(50) NOT NULL,
email varchar(50) NOT NULL,
password varchar(20) NOT NULL,
date timestamp NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

--

What is in connection.php? Are you sure that the PHP is able to successfully connect to the database? Do you see anything in your error log?

Alter hour code to show a debugging error message if the database connection is not successful.

Please use PDO instead

Should it not be:
$sql = "SELECT * FROM users WHERE email = '.$email.' AND password = '.$hash_password.' ";

No. Double quotes allow you to include variables. Single quotes are literal strings and don’t recognize variables.

They are encasing the entire SQL query in double quotes so the variables will be parsed. The single quotes are used for the purpose of wrapping the string to be matched in the database column.

Now, there might also be a problem in the password field definition in the table spec: password varchar(20) NOT NULL. As far as I remember the good old MD5 produces a hash of lenght that fits into CHAR(32). So password hashes stored in the users table could be truncated due to too small filed size and therefore can not match even if the user entered correct password.

However, more important fact here is that MD5 has been unfit for password hashing for years. It is completely unsecure and do not use it in any production site. There is much more suitable function password_hash (https://www.php.net/manual/en/function.password-hash.php) built into PHP. If you use it you must also make you password field bigger, maybe 255 characters to be ready for future.

commented: Good catch! +34

Good catch! The OP is using MD5() but also storing the password hash in a column not suitable for MD5 hashes.

Yes, use password_hash() instead of MD5() and increase the size of the column.

also could be mysqli_fetch_assoc instead of mysqli_fetch_array.

mysql_fetch_array may not return the associative column names as the key values

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.