0

So I'm trying to create a login system. I can't figure out how to check a login against the info in my MySQL database. I can login even if the database table is empty. What exactly am I doing wrong? I can connect alright, it's just the verifying part that's all messed up.

The form:

<form name='login' method="POST" action="home.php";;>

Username: <input type="text" name="username" required /><br>
Password: <input type="password" name="password" required /><br>

<input type="submit" name="login" value="Login" />
</form>

Here's home.php:

<?php  //Start the Session
session_start();
 require('connect.php');
//3. If the form is submitted or not.
//3.1 If the form is submitted
if (isset($_POST['username']) and isset($_POST['password'])){
//3.1.1 Assigning posted values to variables.
$username = $_POST['username'];
$password = $_POST['password'];
//3.1.2 Checking the values are existing in the database or not
$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";

$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);
//3.1.2 If the posted values are equal to the database values, then session will be created for the user.
if ($count == 1){
$_SESSION['username'] = $username;
}else{
//3.1.3 If the login credentials doesn't match, he will be shown with an error message.
$fmsg = "Invalid Login Credentials.";
}
}
//3.1.4 if the user is logged in Greets the user with message
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
echo '<head>
<title>Sheeplets World: Home Page</title>
<link type="text/css" rel="stylesheet" href="index.css" media="screen" />
</head>

<body>
<div id=allcontent>

<h1 id=header>Sheeplets World</h1>

<div id=rcorners>
<h2 id=topic1>Welcome ' . $username . '!</h2>

<p       class="content1">abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
    </div>
    </div>
    </body>';
    echo "<a href='logout.php'>Logout</a>";
    ?>

Here's connect.php:

<?php
$connection = mysqli_connect('localhost', 'root', '', 'testing');
if (!$connection){
    die("Database Connection Failed" . mysqli_error($connection));
}
$select_db = mysqli_select_db($connection, 'testing');
if (!$select_db){
    die("Database Selection Failed" . mysqli_error($connection));
}?>

Thanks in advance!

Olivia Boismier
  • 27
  • 7
  • 1
    There's a very detailed case documented here: https://stackoverflow.com/questions/24028247/need-help-creating-custom-user-registration-login-script – Kevin Pimentel Feb 16 '18 at 19:46
  • You seem to just be grabbing the entered password and then trying to compare on it. Assuming your password is hashed, you first need to hash it and then do a compare. If you are not hashing the password in the DB that's bad you should make sure to hash. – Kevin Pimentel Feb 16 '18 at 19:49
  • For one thing, you have a parse error here `if (isset($_SESSION['username'])){` which has no closing `}` brace and should produce an `unexpected end of file` warning. PHP's error reporting would have signaled it. The brace should be placed after your `echo "Logout";`. – Funk Forty Niner Feb 16 '18 at 19:52
  • HTML stickler: `action="home.php";;` get rid of those semi-colons. – Funk Forty Niner Feb 16 '18 at 19:55
  • You do know that you can interact/comment here, right? – Funk Forty Niner Feb 16 '18 at 20:02
  • Thanks for the help! The closing brace is there. I removed the two semicolons and it didn't seem to make a change in it. – Olivia Boismier Feb 16 '18 at 20:50
  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 26 '18 at 18:00
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Feb 26 '18 at 18:01

1 Answers1

-1

try to print fetched record and count to investigate the contents of $count and query result, by using

   echo $count;

   $row=mysqli_fetch_assoc($result);
   print_r($row);

example code for login

<?php
session_start();
$errorMsg = "";
$validUser = $_SESSION["login"] === true;
if(isset($_POST["sub"])) {
  $validUser = $_POST["username"] == "admin" && $_POST["password"] == "password";
  if(!$validUser) $errorMsg = "Invalid username or password.";
  else $_SESSION["login"] = true;
}
if($validUser) {
   header("Location: /login-success.php"); die();
}
?>
<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="content-type" content="text/html;charset=utf-8" />
  <title>Login</title>
</head>
<body>
  <form name="input" action="" method="post">
    <label for="username">Username:</label><input type="text" value="<?= $_POST["username"] ?>" id="username" name="username" />
    <label for="password">Password:</label><input type="password" value="" id="password" name="password" />
    <div class="error"><?= $errorMsg ?></div>
    <input type="submit" value="Home" name="sub" />
  </form>
</body>
</html>

reference link

Funk Forty Niner
  • 74,372
  • 15
  • 66
  • 132
NIMI
  • 32
  • 5
  • Please bear with me here, but where do I insert it? I'm pretty new to php and don't understand all this. – Olivia Boismier Feb 16 '18 at 21:00
  • just after the lines `$result = mysqli_query($connection, $query) or die(mysqli_error($connection));` `$count = mysqli_num_rows($result);` – NIMI Feb 16 '18 at 21:03
  • Okay, so to create a 'homepage', I see my method doesn't work. How should I 'redirect', so to speak, but contain the login information? – Olivia Boismier Feb 16 '18 at 21:08
  • you can use session data on any page you have to only start the session on start of the page by using session_start() function – NIMI Feb 16 '18 at 21:20
  • i can edit my answer with simple login example so you can understand well – NIMI Feb 16 '18 at 21:22
  • it's giving me the error: Notice: Undefined index: login in C:\xampp\htdocs\login.php on line 4 – Olivia Boismier Feb 17 '18 at 16:27
  • add this line `$_SESSION["login"] = false;` on line three – NIMI Feb 17 '18 at 17:25
  • Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Feb 26 '18 at 18:01