So I am trying to run this php file which should act as a login for users. Everytime I try to run it the browser says something like "localhost is currently unable to handle this request." I don't know what to do can anyone help me? Even running simple statements are coming back wit this error.
<?php
$host="localhost";
$user="root";
$password=" ";
$db="storm";
mysql_connect($host, $user, $password);
mysql_select_db($db);
if(isset($_POST['username'])){
$uname=$_POST['username'];
$password=$_POST['password'];
$sql="select * from user where username='".$uname."'AND
password='".$password."' limit 1";
$result=mysql_query($sql);
if(mysql_num_rows($result)==1){
echo "you have logged in";
exit();
}
else{
echo"nice try";
}
?>
<!DOCTYPE html>
<html>
<head>
<title> Login</title>
</head>
<body>
<div class="container">
<form>
<div class="form-input">
<input type="text" name="username" placeholder="Enter the User
Name"/>
</div>
<div class="form-input">
<input type="password" name="password" placeholder="password"/>
</div>
<input type="submit" type="submit" value="LOGIN" class="btn-login"/>
</form>
</div>
</body>
</html>
The code you provided is missing one bracket at the end.
if(isset($_POST['username'])){ <--
...
if(mysql_num_rows($result)==1){
echo "you have logged in";
exit();
}
else{
echo"nice try";
}
} <--
Related
I am using MacOSx and apache sever on XAMPP
Here is the link to my file - http://localhost:8080/logi/index.php and if I write sqlmap -u http://localhost:8080/logi/index.php?id=1 This error appear: [CRITICAL] all tested parameters do not appear to be injectable.
I want to check my login form for vulnerabilities but I don't understand which parameters I should write, which id or maybe I have to use --data?
Here is my code:
<?php
SESSION_START();
require ('connect.php');
//This is the validation for the login
if(isset($_POST['login'])){
$sql="SELECT * FROM members WHERE email=? AND password=?";
$ss=mysqli_prepare($connect,$sql);
$ss->bind_param("ss",$eu,$pe);
$eu=$_POST['email'];
$pe=$_POST['password'];
$ss->execute();
if(!empty($eu) && !empty($pe) && $ss->fetch()>0){
$_SESSION['email']=$_POST['email'];
header('Location:welcome.php');
}
if(empty($eu)){
$eerr="Did you forget your email?";
}elseif(empty($pe)){
$pwerr="Password required";
}elseif($ss->fetch()!==1){
$eerr="That account do not exist";
}
}
//This is the validation for registration
if(isset($_POST['register'])){
$sql="SELECT * FROM members WHERE email=?";
$sss=mysqli_prepare($connect,$sql);
$sss->bind_param("s",$e);
$e=$_POST['remail'];
$pw=$_POST['rpassword'];
$sss->execute();
if(!empty($e) && !empty($pw) && $sss->fetch()<1 && filter_var($e, FILTER_VALIDATE_EMAIL)){
$sql="INSERT INTO members (email,password)VALUES(?,?)";
$sss=mysqli_prepare($connect,$sql);
$sss->bind_param("s",$e);
$pq=$_POST['rpassword'];
$sss->execute();
echo"You have signed up!";
}
if(empty($e)){
$emailerr="Please provide your email adress!";
}elseif(empty($pw)){
$passworderr="Choose a password";
}elseif($sss->fetch()>0){
$emailerr="That account exist";
}elseif(!filter_var($e, FILTER_VALIDATE_EMAIL)){
$emailerr="Invalid email";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login and Registration</title>
<style>
span{
color:red;
}
</style>
</head>
<body>
Login
<form action="" method="POST">
<input type="text" name="email" placeholder="Email"/><span><?php echo $eerr;?><span><br>
<input type="password" name="password" placeholder="Password"/><span><?php echo $pwerr;?></span><br>
<input type="submit" name="login" value="Login"/>
</form>
<br><br>
Register
<form action="" method="POST">
<input type="text" name="remail" placeholder="Email"><span>*<?php echo $emailerr;?></span><br>
<input type="password" name="rpassword" placeholder="Password"><span>*<?php echo $passworderr;?><span><br>
<input type="submit" name="register" value="Register"/>
</form>
</body>
</html
I wrote a simple login page that is connected to a mySQL database. But even when I try to put in the correct login information, it still returns the "Incorrect username or password" error. I can't figure out if there is something wrong with my code itself, or my database. Any help would be greatly appreciated!
My database looks like this: https://gyazo.com/da06e276d981a35a3e2f01f5ec17f27b
I currently have 2 entries in that database for testing: https://gyazo.com/04a52dde61e77e0cbc2f90b78b3f40a9
My index.php code is as follows
<?php
include('login.php'); // Include Login Script
if ((isset($_SESSION['username']) != ''))
{
header('Location: home.php');
}
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>PHP Login Form with Session</title>
<link rel="stylesheet" href="style.css" type="text/css" />
</head>
<body>
<h1>PHP Login Form with Session</h1>
<div class="loginBox">
<h3>Login Form</h3>
<br><br>
<form method="post" action="">
<label>Username:</label><br>
<input type="text" name="username" placeholder="username" /><br><br>
<label>Password:</label><br>
<input type="password" name="password" placeholder="password" /> <br><br>
<input type="submit" name="submit" value="Login" />
</form>
<div class="error"><?php echo $error;?></div>
</div>
</body>
</html>
My login.php code is as follows:
<?php
session_start();
include("connection.php"); //Establishing connection with our database
$error = ""; //Variable for storing our errors.
if(isset($_POST["submit"]))
{
if(empty($_POST["username"]) || empty($_POST["password"]))
{
$error = "Both fields are required.";
}else
{
// Define $username and $password
$username=$_POST['username'];
$password=$_POST['password'];
//Check username and password from database
$sql="SELECT uid FROM users WHERE username='$username' and password='$password'";
$result=mysqli_query($db,$sql);
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
//If username and password exist in our database then create a session.
//Otherwise echo error.
if(mysqli_num_rows($result) == 1)
{
$_SESSION['username'] = $login_user; // Initializing Session
header("location: home.php"); // Redirecting To Other Page
}else
{
$error = "Incorrect username or password.";
}
}
}
?>
1- Saving in plain text is a NO.
2- As far as i can see you are comparing a plain text password with its md5.
You have also defined the same variable more than once, with different values, sth ive never seen before.
Well, I don't see where $login_user is assigned a value in your code in login.php page.
Try
$_SESSION['username'] = $username;
Also replace this with what you have at the top of your index.php page.
<?php
include('login.php'); // Include Login Script
if (isset($_SESSION['username'])){
header('Location: home.php');
}
else{}
?>
First of since you have your login script on another file in your project directory, shouldn't you specify the location to the script on your login form? Just like this
<form method="post" action="login.php">
<label>Username:</label><br>
<input type="text" name="username" placeholder="username" /><br><br>
<label>Password:</label><br>
<input type="password" name="password" placeholder="password" /> <br><br>
<input type="submit" name="submit" value="Login" />
</form>
i want to display my error message in the login form by getting the result from the login.php ,here is the sample code that i have use.The first part is the index.php
<?
include("login.php");?>
<!DOCTYPE html>
<html>
<head>
<title>Login Form in PHP with Session</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="main">
<h1>Hup Seng</h1>
<div id="login">
<h2>Login Form</h2>
<form action="login.php" method="post">
<label>UserName :</label>
<input id="name" name="username" placeholder="username" type="text" required>
<br>
<br>
<label>Password :</label>
<input id="password" name="password" placeholder="**********" type="password" required>
<br>
<input name="submit" type="submit" value=" Login ">
<span><?php echo $error; ?></span>
</form>
</div>
</div>
</body>
</html>
Here is the login.php i have put the error message under the else statement in order to pass the information to the login form
<?php
include("dbconfig.php");
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
//if (isset($_POST['submit'])) {
if (isset($_POST['username']) || isset($_POST['password'])) {
// Define $username and $password
$username=$_POST['username'];
$password=$_POST['password'];
$pw = encode($password);
$sql = "SELECT count(ID) as cid FROM tblUser WHERE UserId = '$username' and Password1 = '$pw'";
$rs = odbc_exec($link_mssql,$sql);
while (odbc_fetch_row($rs)) {
$count=odbc_result($rs,"cid");
}
if ($count == 1) {
$_SESSION['username']=$username; // Initializing Session
header("location: homepage.php"); // Redirecting To Other Page
} else {
$error="username/passwod combination incorrect";
header("location: index.php");
}
odbc_close($link_mssql); // Closing Connection
}
//}
?>
No need to add header you already including login.php file in index.php
$error="username/passwod combination incorrect";
//header("location: index.php");//remove this line
session_start();
$_SESSION['error']="username/passwod combination incorrect";
and in login form check
session_start();
if(isset($_SESSION['error'])){
echo $_SESSION['error'];
}
//header("location: index.php");
Remove this or you can redirect the page after some time if you want like this.
header( "refresh:5;url=index.php" ); // page redirect after 5sec
i don't know what is wrong with my code when there is no members page the log in redirect me to the members page address with 404 error that isn't the problem , it redirect me to login page when i log in when i write this code in members page.
<?php
session_start();
if(!isset($_SESSION['user_level'])or ($_SESSION['user_level'] != 0)){
header('location: login.php');
exit();
}?>
<!DOCTYPE html>
<html>
<head>
<title>
Admin page
</title>
<style>
table{text-align: center;}
</style>
</head>
<body>
<?php
if($_SESSION['fname']){
echo 'welcome to admin page '. $_SESSION['fname'] . "<br>";
}
?>
<input type="button" value="Log Out" onclick="window.location=' logoutt.php '">
</body>
</html>
login page code
<?php
if($_SERVER['REQUEST_METHOD']=='POST'){
$dbcon=mysqli_connect('localhost','mahmud91','password','postaldb')or die('Couldn\'t connect to database'.mysqli_error($dbcon));
if(!empty(trim($_POST['email']))){
$email=mysqli_real_escape_string($dbcon,trim($_POST['email']));
}else{
$email=false;
}
if(!empty(trim($_POST['psword']))){
$psword=mysqli_real_escape_string($dbcon,trim($_POST['psword']));
}else{
$psword=false;
}if($email && $psword){
$query="SELECT fname,user_id,user_level FROM users WHERE (email='$email' AND psword=SHA1('$psword'))";
$result=mysqli_query($dbcon,$query);
if(#mysqli_num_rows($result)==1){
$_SESSION=mysqli_fetch_array($result,MYSQLI_ASSOC);
$_SESSION['user_level']=(int)$_SESSION['user_level'];
$url=($_SESSION['user_level']===1) ? "adminnpage.php" : "memberrpage.php";
header('location: '.$url);
}else{
echo "Sorry no match was found to email or password";
}
}else{
echo" Please try again";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>
Log In
</title>
</head>
<body>
<form action="/newfolder/login.php" method="post">
<p>
<label for="email">Email: </label>
<input type="text" name="email" id="email" >
</p>
<p>
<label for="psword">Password: </label>
<input type="password" name="psword" id="psword">
</p>
<p>
<input type="submit" name="submit" value="Log In">
</p>
<p>
<input type="button" value="Register" onclick="window.location='/newfolder/registerpage.php'">
</p>
</body>
</html>
You forgot to start session at the top of login page just after php tag
session_start();
I am creating and application with PHP and MySQL.
I have created two pages. Index.php and login.php (which holds the script for the user log in)
Every time I enter a user that is on the database to log in, it does return that there was no text entered.
I am new at this and I will really appreciate some help.
Here is my code.
Thanks in advance
index.php
<html>
<head>
<meta charset="UTF-8">
<title>Pet Service Catalogue</title>
</head>
<body>
<h1 style="text-align:center;"><img src="cat's paw.jpg" width="150" height="150" alt="cat's paw"/> Welcome to Pet Service Catalogue</h1>
<p style="text-align:center;">Please enter your Log in Details:</p>
<form style ="text-align:center;" name="LogIN" action="log_in.php" method="POST" enctype="multipart/form-data">
<p style="text-align:center;"> Email: <input type="text" name="user_email" value=""/></p>
<p style="text-align:center;"> Password: <input type="password" name="user_password" value="" /></p>
<input type="submit" value="Log In" name="LogIN" />
</form>
<form style="text-align:center;" name="registerprovider" action="registerprovider.php">
<p style="text-align:center;">Not Registered?:</p>
<input type="submit" value="Register Service Provider" name="Register Service Provider" />
</form>
<form style="text-align:center;" name="registerowner" action="registerowner.php">
<input type="submit" value="Register Pet Owner" name="Registerownerbutton" />
</form>
</body>
</html>
login.php
<html>
<head>
<meta charset="UTF-8">
<title></title>
</head>
<body>
<?php
// Create connection
$con = mysqli_connect('localhost', 'root', 'root', 'PetServiceCatalogue') or die("Failed to connect to database:" . mysqli_error($con));
//Get user details and put them on varaiables
$user_email = mysqli_real_escape_string($_POST['user_email']);
$user_password = mysqli_real_escape_string($POST['user_password']);
if (!empty($user_email) && !empty($user_password))
{
//look up for user details on the database
$query = "SELECT * FROM owner, provider WHERE email = '$user_email' AND password = SHA('$user_password') ";
$data = mysqli_query($con, $query);
$result = mysqli_num_rows($data);
printf("Number of rows %d \n", $result);
if ($result == 1) {
//The log in has found the user
$row = mysqli_fetch_array($data);
$user_email = $row('email');
$user_password = $row('password');
header("location: ownerhomepage.php");
} else {
//the user name or password are incorrect
echo "Wrong user email and password";
}
}
else
{
echo ' You must enter the user email and user password';
?>
<form name="back to index" action="index.php">
<input type="submit" value="Back to Log in page" name="Back to Log in page" /> </form>
<?php
}
mysqli_close($con);
?>
</body>
</html>
You have the action: action="log_in.php"but you've written its name is login.php
EDIT
Maybe you should try this as the first if statement:
if (trim($user_email)!="" && $user_password!=""){
//YOUR CODE
}