Essentially the question asked. Cook is set for the following reason.
When executing the following code,
$enter_pswd = (int) $_POST['enter_pswd'];
after casting the transferred password to the int type, the value of the $enter_pswd variable becomes zero, since your password apparently contains not only numeric characters.
Further in the same way you select a password from the database, and again convert it to the int type. Receiving again the value of 0 . The next stage you compare two zero values, and of course you get the result true .
This explains why the cookie will appear when entering an incorrect password. I note that in the case when your password contains only the digits of the cookie will not be issued. In general, it is not required to bring the password to the int type, and it is not clear why you are doing this.
Further a few notes regarding your code:
- Substituting the login directly into the body of the SQL query opens a direct path to code injection. Imagine that someone will write the string
xxxx' union select 1 as id, 'admin' as login, 123 as password; # xxxx' union select 1 as id, 'admin' as login, 123 as password; #
As a result, your request to verify the user will look like this:
SELECT * FROM users WHERE login = 'xxxx' union select 1 as id, 'admin' as login, 123 as password; #'
that paired with the password 123 will lead to successful authorization. In other cases, if it is possible to specify, as a login, for example, qwe'; delete from users; # qwe'; delete from users; # qwe'; delete from users; # in the result of which the contents of the user table will be deleted. In the same way it turns out and add a new entry to the table with a small selection of field names.
- Do not store passwords in the database in the clear. The password hashes should be stored, for example, the simplest
md5() . - The sign of user authorization should obviously be indicated not in the cookie, but in the session. Because the first are openly transmitted between the client and the server, and no one bothers the user to enter there with their hands, correcting the request headers in the browser.
(int))? - neluzhinint. When you cast a text string to an integer, you get a value of 0. And you get this value both times, and then compare two zeros, eventually getting identical equality. - teran