I'm having problems with my log in php file. I completed my sign up form, which takes data and saves it in a database. I now want to be able to log in with the data from the db. This is my first log in form and I'm not sure if I have all the things needed to make it run or if there's just an error. A list of what is needed to make this log in form will help, Thank you. I would also like to mention that I have more data in the DB other than email/password.
<?php
$db = mysql_connect("127.0.0.1:3307", "root", "", "test");
if(!$db){die('could not connect:'.mysql_error());}
echo'connected successfully';
if (isset($_POST['submit'])) {
$username = $_POST['Email'];
$password = $_POST['Password'];
$username = mysql_real_escape_string($Email);
$password = mysql_real_escape_string($Password);
$sql = "SELECT * FROM people WHERE Email ='$Email' AND
Password='$Password'";
mysql_select_db('test');
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count == 1) {
echo "<script> alert('You Have Successfully Logged In')</script>";
exit();
} else {
echo "<script> alert('Invalid Username and/or Password')</script>";
}
}
mysql_close($db);
?>
You parse the POSTed EMAIL to your $username variable, but in your SELECT statement, you use a $Email variable. Perhaps this should have been your $Username variable instead, as this seems to hold your emailadress.
So your problem is in mixing of email and username. Correct this and your script should work.
Related
I already set a password for the user to log in, in phpMyAdmin. But I want to make sure that the password is deleted once the user uses it. Therefore, the user cannot login to the system twice. But I don't know how to make an SQL statement for that. I just want to delete the password without deleting the username. Can I combine the delete code with submit button?
<?php
if(isset($_POST['submit']))
{
include("config.php");
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$_SESSION['login_user'] = $username;
$query = mysqli_query($mysqli,"SELECT username from logins WHERE username='$username' and password='$password'");
if(mysqli_num_rows($query) !=0)
{
echo "<script language='javascript' type='text/javascript'>location.href='home.php'</script>";
}
else
{
echo "<script language='javascript' type='text/javascript'>alert('Username or Password invalid!')</script>";
}
}
?>
Thank you.
Add an SQL UPDATE statement before your redirect your user.
And do not save the password as plain text in your DB:
Best way to store passwords in MYSQL database
But an better idea is, that you will add an timestamp to your database with the last login. If the timestamp is NULL, than the user can login. If it is not empty the user can not login.
But here the example for the given code:
(Security manuel: https://www.php.net/manual/en/mysqli.real-escape-string.php)
if(isset($_POST['submit']))
{
include("config.php");
session_start();
$username = mysqli_real_escape_string($mysqli, $_POST['username']);// add a little bit security at this point
$password = mysqli_real_escape_string($mysqli, $_POST['password']); // add a little bit security at this point
$_SESSION['login_user'] = $username;
$query = mysqli_query($mysqli,"SELECT username from logins WHERE username='$username' and password='$password' and password IS NOT NULL"); // check that the password is not empty
if(mysqli_num_rows($query) !=0)
{
// update your DB row
// if you got an ID, than do it with the ID and not with the $username and $password
mysqli_query($mysqli,"UPDATE logins SET password = NULL WHERE username='$username' and password='$password'");
// to do it better use instead of JavaScript PHP for the redirect. In this case it is important, that nothing is printed out bevore the `header()`:
header("Location: home.php");
exit;
// try to not mix it up if you are on an pure PHP page
// echo "<script language='javascript' type='text/javascript'>location.href='home.php'</script>";
}
else
{
// same as above
header("Location: login.php?tag=login-invalid");
exit;
// echo "<script language='javascript' type='text/javascript'>alert('Username or Password invalid!')</script>";
}
}
If the "password" is not NULL able, than replace the NULL through = ""
I was working on a register/log in page with a database (first time)
Whenever I register my user, I get the following information in the database:
It is giving me something like a password, but it won't give me my username and email (and i guess password aswell)
Can anyone help me with this?
My php code looks like this:
<?php
session_start();
// connect to database
$db = mysqli_connect('localhost', 'root', '', 'toolsforever');
if (isset($_POST['login_btn'])) {
$username = $db->real_escape_string($username);
$password = $db->real_escape_string($password);
$password = md5($password); // hashed
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 1) {
$_SESSION['message'] = "You are now logged in";
$_SESSION['username'] = $username;
header("location: home.php"); //redirect to home page
}else{
$_SESSION['message'] = "Username/password combination incorrect";
}
}
?>
Thanks in advance
PS: Password2 = confirm password for registration password==password2 before they can register.
You are not getting the values from post array so do it like this:
$username = $db->real_escape_string($_POST['username']);
$password = $db->real_escape_string($_POST['password']);
I assume the form fields are names as username and password
It's not just related to retrieval, seems like you need to check the save operation as well. You are storing empty values during registration.
That one worked #danyal Sandeelo. I feel incredible stupid because i've tried an $_POST but i did it like: $username = $_POST['username']; $username = $db->real_escape_string;
I am trying to use the below code to create a login form. The problem being after registration when I am trying to login, getting an error message "Username or Password don't match" even though email & password are correct. I tried "$num <=1" and allows me to log in but obviously it is not authenticating the login details in that case. Any help will be appreciated.Most importantly this code is working fine on a local server like XAMPP but problem starts when using a host server like hostgator (no issue to connect with the server).
<?php
session_start(); // Starting Session
#Database connection
include('../config/connection.php');
$error=''; // Variable To Store Error Message
if (isset($_POST['submit']))
{
if (empty($_POST['email']) || empty($_POST['password'])) {
$error = '<p class="alert alert-danger">One or either field is missing</p>';
}
else
{
// Define $username and $password
$email=$_POST['email'];
$password = $_POST['password'];
// To protect MySQL injection for Security purpose
$email = stripslashes($email);
$email = mysql_real_escape_string($email);
// SQL query to fetch information of registerd users and finds user match.
$q = "SELECT * FROM users WHERE email = '$email' AND password = md5(SHA1('$password'))";
$r = mysqli_query($dbc, $q)or die(mysqli_error());
$num = mysqli_num_rows($r);
if($num ==1){
$_SESSION['username'] = $email;
header('Location:Index.php');
} else {
$error = '<p class="alert alert-danger">Username or Password don\'t match</p>';
}
mysqli_close($dbc); // Closing Connection
}
}
?>
in your query the $password should not be between the quotes, cause then it will seek for the string instead of the value of the variable.
$q = "SELECT * FROM users WHERE email = '$email' AND password = 'md5(SHA1($password))'";
make sure your password is hashed in your database
Please help me. I got this error everytime I tried to login. - "This webpage has a redirect loop ERR_TOO_MANY_REDIRECTS"
Please help me and I'll appreciate your help very much. thanks.
This is my index.php
<?php
include('login.php'); // Includes Login Script
?>
This is my login.php
<?php
session_start();
$error = "";
if (isset($_POST['submit'])) {
if (empty($_POST['email']) || empty($_POST['password'])) {
$error = "Username or Password is invalid";
} else {
// Define $username and $password
$usernameLogin = $_POST['email'];
$passwordLogin = $_POST['password'];
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "apple", "Apple318992");
// To protect MySQL injection for Security purpose
$username = stripslashes($usernameLogin);
$password = stripslashes($passwordLogin);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
// Selecting Database
$db = mysql_select_db("TS", $connection);
// SQL query to fetch information of registerd users and finds user match.
$query = mysql_query("select * from Users where password='$password' AND email='$usernameLogin'", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {
$_SESSION['login_user'] = $usernameLogin; // Initializing Session
} else {
$error = "Username or Password is invalid";
}
}
}
if (isset($_SESSION["login_user"])) {
header("Location:timesheets.php");
}
?>
This is my session.php
<?php
include ('DBConnect.php');
session_start(); // Starting Session
// Storing Session
$user_check = $_SESSION['login_user'];
// SQL Query To Fetch Complete Information Of User
$ses_sql = mysql_query("select email from Users where email='$user_check'", $conn);
$row = mysql_fetch_assoc($ses_sql);
$login_session = $row['email'];
if (!isset($login_session)) {
mysql_close($conn); // Closing Connection
header('Location: index.php'); // Redirecting To Home Page
}
?>
instead of : header('Location: index.php');
try to do it with javascript :
echo '< script> document.location.href="index.php"< /script>';
In your session.php you have to destroy the session because it might be set still but without that the query can find a existing user?
To unset sessions do this:
unset(); for all the session variables unset($_SESSION['login_user']); for a specific session
Please put that before redirecting to index.php.
Otherwise I don't know how to help you sorry.
Also do you have php error / debug enabled? Normally session_start(); should be at very first line in your php file if I am correct, or it throws error.
I am quite new in php language..currently i am working on a login and registration system.but i dont know why the users still can login to the although the email and password insert is wrong,since i already make all the validation.So,guys,pls help me to see my code,see whether where the problem is.
here is my code
<?php
include('config.php');
session_start();
$errors=array();
if ($_SERVER["REQUEST_METHOD"] == "POST"){
$email = $_POST['email'];
$password = $_POST['password'];
if($email&&$password){
//declare variable
$query = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' Password=''$password");
$numrows = mysqli_num_rows($query);
//when user correct input,check the data
if($numrows !== 0) {
while($row=mysqli_fetch_assoc($query)){
$dbemail=$row['Email'];
$dbpassword=$row['Password'];
}
//if username and password match
if($dbemail=$email&&$dbpassword=$password)
{
$SESSION['$email']="$email";
header('Location:user.html');
}
else
{
$errors['notcorrect'] = "Email or password not correct";
}
}
//when insert wrong data
else{
$errors['notexists'] = "This email doesn't exists";
}
}
//when user didnt enter anything
else{
$errors['nothing'] = "Please enter your email and password";
}
}
?>
any idea?
Let's examine these in detail:
Password=''$password"
$SESSION
if($dbemail=$email&&$dbpassword=$password)
WHERE Email='$email' Password=''$password")
$_SESSION['$email']="$email";
$password is outside your quotes.
Then $SESSION is missing an underscore between the $ and SESSION.
This is also a superglobal.
Then you're "assigning" using 1x = sign instead of "comparing" with if($dbemail=$email&&$dbpassword=$password)
Use 2x == signs.
You're missing an AND for WHERE Email='$email' Password=''$password")
WHERE Email='$email' AND Password='$password'");
You should also, and is recommended to add exit; after header.
header('Location:user.html');
exit;
Otherwise, your code risks in continuing to execute.
$_SESSION['$email']="$email"; there is a dollar sign in ['$email']
It needs to read as ['email'].
Sidenote:
Your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements, they're much safer.
Footnote(s):
In regards to Location:user.html are you sure you want to use an .html file? If you're not instructing Apache to treat .html files as PHP and with no conditional statement to check if the session is set and equal to what you've assigned to it, then anyone can access that file.
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.
It is recommended to use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.
As the chinese proverb goes: "Show a man how to fish, feed him for life."
Update this
$query = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' AND Password='$password' ");
And also correct the session super global from $SESSION to $_SESSION
You are doing an assignment here where you should be doing a comparison:
if($dbemail=$email&&$dbpassword=$password)
Should be
if($dbemail == $email && $dbpassword == $password)
Whitespace makes things more readable.
the error in select query you forgot and operator
$query = mysqli_query($con,"SELECT * FROM user WHERE Email='{$email}' AND Password='{$password}' ");
And change the equle operator in if statment with === like this
if($dbemail===$email&&$dbpassword===$password)
I hope that works successfully
Update your code
<?php
include('config.php');
session_start();
$errors=array();
if ($_SERVER["REQUEST_METHOD"] == "POST"){
$email = $_POST['email'];
$password = $_POST['password'];
if($email&&$password){
//declare variable
$query = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' AND Password='$password'");
$numrows = mysqli_num_rows($query);
//when user correct input,check the data
if($numrows !== 0) {
while($row=mysqli_fetch_assoc($query)){
$dbemail=$row['Email'];
$dbpassword=$row['Password'];
}
//if username and password match
if($dbemail==$email && $dbpassword==$password)
{
$_SESSION['$email']="$email";
header('Location:user.html');
die();
}
else
{
$errors['notcorrect'] = "Email or password not correct";
}
}
//when insert wrong data
else{
$errors['notexists'] = "This email doesn't exists";
}
}
//when user didnt enter anything
else{
$errors['nothing'] = "Please enter your email and password";
}
}
?>