I want to create login page. First, I get username and password from login.html and send them to login.php to check its available or not. But it always give errors and I cannot solve that
Login.html
<form action="login.php" method="post">
<div class="containerLogin">
<label><b>Username</b></label>
<input type="text" placeholder="Enter Username"name="username" required>
<label><b>Password</b></label>
<input type="password" placeholder="Enter Password" name="password" required>
</div>
<div class="containerLogin" style="background-color:#f1f1f1">
<input type="submit" name="submit" value="submit" class="btn btn-primary">
<span class="password">Forgot password?</span>
</div>
</form>
login.php
<?php
include_once "connection.php";
if (isset($_POST['submit'])) {
session_start();
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$password = $_POST['password'];
$query = mysqli_query("SELECT * FROM studenttable WHERE username='$username' and password='$password'");
$res = mysqli_query($con, $query);
$count_user = mysqli_num_rows($res);
if($count_user==1)
{
$row = mysqli_fetch_array($res);
$_SESSION['username'] = $row['username'];
$_SESSION['password'] = $row['password'];
header("location:dashboard.php?success=1");
}else{
$error = 'Incorrect Username, Password and Branch.';
}
}
}
?>
ERRORS
login.php
The $query variable should not be a mysqli_query, but a string, since you can't pass a query as a parameter to another query. Replace that line (24) with this:
$query = "SELECT * FROM studenttable WHERE username='$username' and password='$password'";
Related
Here is my form, it send POST to loginuser.php it have drop-down list which was read users from database.
<form action="loginuser.php" method="POST">
<div class="form-group">
<select name="userList">
<option> - - - </option>
<?php
include 'db.php';
$sql = "SELECT username FROM dbusers";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
echo "<option>" . $row["username"]. "</option>";
}
}
?>
</select>
</div>
<div class="form-group">
<input name "password" type="password" class="form-control" id="inputPassword">
</div>
<div class="form-group">
<button type="submit" class="btn btn-info btn-sm btn-block">Login</button>
</div>
</form>
And this is my loginuser.php - when i push the Login button it send me to localhost/loginuser.php but it show "TEST-FALSE"
<?php
session_start();
require('db.php');
if (isset($_POST['username']) and isset($_POST['password'])){
echo "TEST - GOOD";
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM `dbusers` WHERE username='$username' and password='$password'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$count = mysqli_num_rows($result);
if ($count == 1){
$_SESSION['username'] = $username;
}else{
$fmsg = "Invalid Login Credentials.";
}
}
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
echo "Succes";
}else{
echo "TEST - FALSE";
}
?>
Also, my connection in db.php work because script on form show users correctly.
I changed some pass values in select drop down in your front end like and i dont know name=password is typo error or not :
<form action="loginuser.php" method="POST">
<div class="form-group">
<select name="userList">
<option> - - - </option>
<?php
include 'db.php';
$sql = "SELECT username FROM dbusers";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
echo "<option value='".$row["username"]."'>" . $row["username"]. "</option>";
}
}
?>
</select>
</div>
<div class="form-group">
<input name="password" type="password" class="form-control" id="inputPassword">
</div>
<div class="form-group">
<button type="submit" class="btn btn-info btn-sm btn-block">Login</button>
</div>
and your php code is like:
<?php
session_start();
require('db.php');
if (isset($_POST['userList']) && isset($_POST['password'])){
echo "TEST - GOOD";
$username = $_POST['userList'];
$password = $_POST['password'];
$query = "SELECT * FROM `dbusers` WHERE username='$username' and password='$password'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$count = mysqli_num_rows($result);
if ($count == 1){
$_SESSION['username'] = $username;
}else{
$fmsg = "Invalid Login Credentials.";
}
}
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
echo "Succes";
}else{
echo "TEST - FALSE";
}
?>
Note: Please avoid the sql injection try to use PDO.,
You wrote this
<div class="form-group"> <input name "password" type="password" class="form-control" id="inputPassword"> </div>
Correct with this
<div class="form-group"> <input name="password" type="password" class="form-control" id="inputPassword"> </div>
name="password" (=) missing
Unable to login to admin panel getting error message as invalid credentials after entering correct credentials also.Here is my code
index.php:
<form method="post" action="login_model.php">
<input type="text" class="text" placeholder="E-mail address" name="admin_email" id="admin_email">
<input type="password" placeholder="Password" name="admin_password" id="admin_password">
<div class="submit"><input type="submit" name="submit1" value="Login"></div>
<ul class="new">
<li class="new_left"><p>Forgot Password ?</p></li>
<div class="clearfix"></div>
</ul>
</form>
login_model.php :
$connection = mysql_connect("localhost", "root", "") or die(mysql_error());
$db = mysql_select_db("dance", $connection);
$name = $_POST["admin_email"];
$password = $_POST["admin_password"];
if(isset($_POST['submit1'])){
$query = "SELECT * FROM admin_login where admin_email= '$name' AND
admin_password= '$password' ";
$result = mysql_query($query);
$rows=mysql_num_rows($result);
if($rows==1){
session_start();
$_SESSION['username'] = "$email";
header("Location:voterslist.php");
} else {
echo "Invalid Username or Password";
}
}
I have to make an application that can be SQL injected, but I can't make it possible to SQL inject. I tried everything to SQL inject it, but I didn't succeed. It's possible to write the username like admin'# because that comments out the line.
I hope you can help me. You see my code just underneath.
<?php
include('include/config.php');
include('parts/header.php');
$submit = $_POST['submit'];
$username = $_POST['username'];
$password = $_POST['password'];
if ($submit) {
if(!empty($username OR !empty($password))) {
$sqlQuery = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
if(mysql_num_rows($sqlQuery) == 1) {
// Success - admin'#
echo "LOGGEDIN";
$_SESSION['loggedin'] = 1;
}
else {
echo "Wrong password or username";
}
}
else {
echo "You didn't fill every field.";
}
}
?>
<div id="container">
<form action="login.php" method="POST">
<input type="text" name="username" placeholder="Type user name...">
<input type="password" name="password" placeholder="Type password...">
<input type="submit" name="submit" value="Log in">
</form>
</div>
<?php
include('include/config.php');
include('parts/header.php');
$submit = $_POST['submit'];
$username = (int)$_POST['username'];
$password =(int)$_POST['password'];
if ($submit) {
if(!empty($username OR !empty($password))) {
$sqlQuery="SELECT * FROM users WHERE user_login = '$username' AND password = '$password'";
//SELECT * FROM `wp_users` WHERE `user_login`='1' OR '1' = '1' AND `user_pass`='1' OR '1' = '1'
//$sqlQuery = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
echo $sqlQuery;
exit;
if(mysql_num_rows($sqlQuery) == 1) {
// Success - admin'#
echo "LOGGEDIN";
$_SESSION['loggedin'] = 1;
} else {
echo "Wrong password or username";
}
} else {
echo "You didn't fill every field.";
}
}
?>
<div id="container">
<form method="POST">
<input type="text" name="username" placeholder="Indtast brugernavn..">
<input type="password" name="password" placeholder="Indtast kodeord..">
<input type="submit" name="submit" value="Log ind">
</form>
</div>
You Query output will be this and always true,
SELECT * FROM wp_users WHERE user_login = '7' AND user_pass = '7'
You can use the mysql_real_escape_string function to make a variable secure:
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
I have my Oral defense at school next week.. and I tried searching for answers.. none was working so I figured out to ask here right away..
So okay.. my page is here and I connected my php page to my database (godaddy) and its working.. in registration.php, you can add employee and its being added to my database "table" but when I try login.php it said.. "Incorrect password" but the password is correct in my database..
its like.. my php can be connected to database
but my database doesn't want to connect to my php page..
what's wrong with my code? Can you help me? please?
<?php
require('db.php');
session_start();
if (isset($_POST['username'])){
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$username = mysql_real_escape_string($username);
$password = stripslashes($password);
$password = mysql_real_escape_string($password);
$query = "SELECT * FROM 'users' WHERE username='$username' and password='".md5($password)."'";
$result = mysql_query($query) or die(mysql_error());
$rows = mysql_num_rows($result);
if($rows==1){
$_SESSION['username'] = $username;
header("Location: home.php");
} else {
echo "<div class='form'><h3>Username/password is incorrect.</h3><br/><div>";
}
}else{
?>
<div class="form">
<h1>Log In</h1>
<form action="" method="post" name="login">
<input type="text" name="username" placeholder="Username" required />
<input type="password" name="password" placeholder="Password" required />
<input name="submit" type="submit" value="Login" />
</form>
</div>
<?php } ?>
Hello I am having some issue here i created a script to update users account details but when the form is filled in and submit button clicked no errors come up but at the same time no changes are made in the table
THIS IS ONLY A DUMMY APPLICATION SO EVERYTHING IS KEEP BASIC
<?php
session_start();
include('connect_mysql.php');
if(isset($_POST['update']))
{
$usernameNew = stripslashes(mysql_real_escape_string($_POST["username"]));
$passwordNew = stripslashes(mysql_real_escape_string($_POST["password"]));
$first_nameNew = stripslashes(mysql_real_escape_string($_POST["first_name"]));
$last_nameNew = stripslashes(mysql_real_escape_string($_POST["last_name"]));
$emailNew = stripslashes(mysql_real_escape_string($_POST["email"]));
$user_id = $_SESSION['user_id'];
$editQuery = mysql_query("UPDATE users SET username='$usernameNew', password='$passwordNew', first_name='$first_nameNew', last_name='$last_nameNew' , email='$emailNew' WHERE user_id='$user_id'");
if(!$editQuery)
{
echo mysql_error($editQuery);
die($editQuery);
}
}
?>
<html>
<head>
<title>Edit Account</title>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<link href="style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="wrapper">
<header><h1>E-Shop</h1></header>
<article>
<h1>Welcome</h1>
<h1>Edit Account</h1>
<div id="login">
<ul id="login">
<form method="post" name="editAccount" action="userEditAccount.php" >
<fieldset>
<legend>Fill in the form</legend>
<label>Select Username : <input type="text" name="username" /></label>
<label>Password : <input type="password" name="password" /></label>
<label>Enter First Name : <input type="text" name="first_name" /></label>
<label>Enter Last Name : <input type="text" name="last_name" /></label>
<label>Enter E-mail Address: <input type="text" name="email" /></label>
</fieldset>
<br />
<input type="submit" value="Edit Account" class="button">
<input type="hidden" name="update" value="update">
</form>
</div>
<form action="userhome.php" method="post">
<div id="login">
<ul id="login">
<li>
<input type="submit" value="back" onclick="index.php" class="button">
</li>
</ul>
</div>
</article>
<aside>
</aside>
<div id="footer">Text</div>
</div>
</body>
</html>
SOrry for some reason the I forgotten to copy this part faceslap
login.php:
<?php
session_start();
require('connect_mysql.php');
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
$username = $_POST["username"];
$password = $_POST["password"];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$query = mysql_query("SELECT * FROM users WHERE Username='$username' AND Password='$password'");
$numrow = mysql_num_rows($query);
if($username && $password){
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrow = mysql_num_rows($query);
if($numrow !=0){
while($row = mysql_fetch_assoc($query)){
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if($username == $dbusername && $password == $dbpassword ){
$_SESSION['user_id'] = $user_id;
header("Location: userhome.php");
}
else{
echo "Incorect password";
}
}
else{
die("This user dosent exists");
}
}
else{
$reg = die("Please enter username and password");
}
}
?>
You haven't called session_start() at the beginning of the file, so $username will be an empty string, and the update command will only update rows where the username is an empty string.
Edit: In fact, that code won't even be run, because you haven't called session_start(), isset($_SESSION['update']) will evaluate to false.
Did you mean to write $_SESSION['update']? Shouldn't that be $_POST['update']?
Last but not least, personally I would replace this:
<input name="update" type="submit" submit="submit" value="Edit Account" class="button">
with this:
<input type="submit" value="Edit Account" class="button">
<input type="hidden" name="update" value="update">
At least for clarity. I don't know if it's still the case, but in time gone by not all browsers submitted the name/value of the submit button.
Sir from the code given above i think you have error in your login.php
$_SESSION['user_id'] = $user_id;
You are not assigning value to $user_id that why it is setting blank value to $_SESSION['user_id'].
<?php
session_start();
require('connect_mysql.php');
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
$username = $_POST["username"];
$password = $_POST["password"];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$query = mysql_query("SELECT * FROM users WHERE Username='$username' AND Password='$password'");
$numrow = mysql_num_rows($query);
if($username && $password){
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrow = mysql_num_rows($query);
if($numrow !=0){
$user_id = 0;
while($row = mysql_fetch_assoc($query)){
$dbusername = $row['username'];
$dbpassword = $row['password'];
$user_id = $row['user_id'];
}
if($username == $dbusername && $password == $dbpassword ){
$_SESSION['user_id'] = $user_id;
header("Location: userhome.php");
}
else{
echo "Incorect password";
}
}
else{
die("This user dosent exists");
}
}
else{
$reg = die("Please enter username and password");
}
}
?>