-1

I am trying to access my html website on localhost with xampp. The php file is stored in htdocs long with the html file. However i still seem to be getting this error. My database name is check and table name is loginform.

<?php
$host="localhost";
$user="root";
$password="";
$dbname="check";

//create connection
$conn=mysqli_connect('$host', '$user', '$password', '$dbname');

//check connection
if (mysqli_connect_errno()) {
    die('could not connect:'.mysqli_connect_error());

    # code...
}
//accept values
if (isset($_POST['username'])) {

    $uname=$_POST['username'];
    $password=$_POST['password'];

    $sql="select * from loginform where $uname='".$user."' AND $password='".$pass."' limit 1";

    $result=mysqli_query($sql);
//check query
    if (mysqli_num_rows($result)==1) {

        echo "You have Successfully logged in";
        exit();

    }
    else{
        echo "Invalid credentials";
        exit();
    }
    mysqli_close($conn);

}
Dharman
  • 26,923
  • 21
  • 73
  • 125
Shruti
  • 21
  • 1
  • 2
  • 2
    You don't need all that code to solve a 404 error. Simply: ` – KIKO Software May 27 '20 at 08:40
  • Please post Your URL so We can see how You are testing it. – MatejG May 27 '20 at 08:42
  • [Error 404](https://en.wikipedia.org/wiki/HTTP_404) is not an error for code. it means can't find a file in the URL location – sachin kumara liyanage May 27 '20 at 08:47
  • http://localhost/index.html - have been using this url – Shruti May 27 '20 at 08:52
  • Is xampp mySql and Apache running? Show us your index.html code. – AlwaysConfused May 27 '20 at 08:59
  • LOGIN PAGE

    LOGIN

    Username:

    Password:

    – Shruti May 27 '20 at 09:13
  • Yes apache and mySQL are running – Shruti May 27 '20 at 09:13
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman May 27 '20 at 10:26

1 Answers1

-1

i cannot access your pc to figure out where the current location but i will talk about your code your login form is vuln [ sql injection ] you should use mysqli_real_escape_string(); or use php pdo more secure ( use bindParam )

for ex:

# mysql connection
$con = new PDO("mysql:host=localhost;dbname=database", 'username', 'password', array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));

$user = $_POST['username'];
$pass = $_POST['password'];

# login
$query = "SELECT * FROM `tableUsers` WHERE `username`=? AND `password`=?";
$run = $con->prepare($query);
$run->bindParam(1, $user, PDO::PARAM_STR);
$run->bindParam(2, $pass, PDO::PARAM_STR);
$run->execute();
$count = $run->RowCount();
if($count > 0) { // or if ($count === 1)
   // login complete the $_SESSION
} else {
   // wrong password
}

this code prevent SQLi but still XSS

xSecurity
  • 1
  • 1
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman May 27 '20 at 10:26
  • Your code might still be vulnerable to SQL injection in rare cases, because you have not set the correct charset. – Dharman May 27 '20 at 10:27
  • See https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string – Dharman May 29 '20 at 10:21
  • I read it clearly. I am not saying it is posing a serious risk, but I am saying you are not doing this properly. You need to set the right charset. Do not use `SET NAMES` – Dharman May 30 '20 at 12:06
  • if you go to safe example, frist one is : mysql_query('SET NAMES utf8'); and check back my code, also i never store clear password i did that to make example more easy for him, and if u make md5 with salt will be enough, because they all same, they do brute-force attack to crack hashes they using hashcat/jacktheripper, the idea of protection from salt. – xSecurity Mar 14 '21 at 08:06