As part of my project i created a log in program. i already have a create account page from which the data is going in to the database tables successfully. But my log in program is not working. Below is my code.
<?php
$db = mysql_connect('localhost','root','','childrenparty');
if(!$db){die('could not connect:'.mysql_error());}
echo'connected successfully';
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username ='".$username."'' AND
Password='".$password."' LIMIT 1";
$result = mysql_query($sql);
echo $sql;
if(mysql_num_rows($result) == 1)
{
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
}
else {
echo "<script> alert('Invalid Username and/or Password')</script>";
exit();
}
}
mysql_close($db);
?>
so the problem is it always shows invalid username and password when i try to sign in. please help
You have a error in sql query, an extra ':
$sql = "SELECT * FROM clientinfo WHERE Username ='" . $username . "' AND
Password='" . $password . "' LIMIT 1";
But there are more dangerous problems in this code:
mysql_* are deprecated in PHP 5.5 and removed in PHP 7, so you'd better use mysqli or PDO functions and prepared statements.
Password is stored unencrypted and this is a huge vulnerability
I'll add an example with prepared statements, to prevent SQL Injection:
<?php
$db = new mysqli('localhost', 'root', '', 'childrenparty');
if ($db->connect_errno) {
echo 'Failed to connect to MySQL: (' . $db->connect_errno . ') ' . $db->connect_error;
}else{
echo 'Connected successfully';
}
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = $db->escape_string($username);
$password = $db->escape_string($password);
$query = $db->prepare('SELECT * FROM clientinfo WHERE Username=? AND Password=? LIMIT 1');
$query->bind_param('ss', $username, $password);
$query->execute();
$result = $query->get_result()->fetch_row();
if (null !== $result) {
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
}
echo "<script> alert('Invalid Username and/or Password')</script>";
exit();
}
$db->close();
Hi i have made some changes to your code. This should definetly work. If not the problem is withing the $_POST variable names that you have set. Also double check the Sql query to check if they are the same as the database names. I assume you are just learning to code so its fine but mysql is deprecated now , so try to use mysqli functions.
For further reference check out http://php.net/manual/en/book.mysqli.php
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username = '$username' AND
Password = '$password' LIMIT 1";
$result = mysql_query($sql);
if(mysql_num_rows($result) == 1)
{
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
}
else {
echo "<script> alert('Invalid Username and/or Password')</script>";
}
}
<?php
$db = mysql_connect('localhost','root','','childrenparty');
if(!$db){die('could not connect:'.mysql_error());}
echo'connected successfully';
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username ='$username' AND
Password='$password'";
mysql_select_db('childrenparty');
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count == 1) {
echo "<script> alert('You Have Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
} else {
echo "<script> alert('Invalid Username and/or Password')</script>";
}
}
mysql_close($db);
?>
this one worked.thanks guys for the reply.
Related
thank you for your consideration.
I'll be short and concise, because it seems i get banned no matter what i post.
I found similar questions on here but none of the suggestions were working with my code.
i just need help after login is successful redirecting to a new page my code is.
$username = $_POST["username"];
$conn = mysqli_connect($host, $user, $pass, $db);
$query = "SELECT * FROM user WHERE username = '" .$username. "'";
$result = mysqli_query($conn,$query);
while ($row = mysqli_fetch_assoc($result)){
echo "Password Entered: " . $_POST["password"];
echo "Correct Pasword: " . $row['password'];
// See if the password is correct
if ($_POST["password"] === $row['password'])
echo "Logon Successful!";
else {
echo "Logon Failed!";
}
}
if (!mysqli_fetch_assoc($result))
echo "Invalid Username";
?>
Maybe have a bit of changes like the following:
login.php
$username = $_POST["username"];
$password = $_POST["password"];
$conn = mysqli_connect($host, $user, $pass, $db);
$query = "SELECT * FROM user WHERE username = '" . $username . "'";
$result = mysqli_query($conn,$query);
while ($row = mysqli_fetch_assoc($result)){
// See if the password is correct
if ($password === $row['password']){
header('location: login_successful.php');
}else {
// you can hide the message at QueryString via SESSION or COOKIE
header('location: login_form.php?message=FAIL_MESSAGE'); //you can detect and show login status message.
}
}
i just forgot a semicolon after the header..
$query = "SELECT * FROM user WHERE username = '" .$username. "'";
$result = mysqli_query($conn,$query);
while ($row = mysqli_fetch_assoc($result)){
// See if the password is correct
if ($_POST["password"] === $row['password']){
echo "Logon Successful!";
header("Location: index.php");
exit();
}
I tried to create a login page in PHP. I have a problem with opening the new page when the username and password are correct.
All the pages are in the same directory, which is Inventory.
Here is the code:
<?
$serverName ="localhost";
$dbname="inventory";
$conn = mysql_connect($serverName,"root","");
if(!$conn) die("Connection error". mysql_connect_error());
else echo "connected successfully";
if(isset($_POST['login'])){
if(empty($_POST['username']) || empty($_POST['password']))
echo "<script>
alert('يجب إدخال إسم المستخدم و كلمة السر';);
</script>";
else
{
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$db = mysql_select_db($dbname,$conn) or die("database connection error" . mysql_error());
$query = mysql_query("select * from users where username = '$username' AND password = '$password'", $conn);
$name = mysql_query("select name from users where username = '$username' AND password = '$password'", $conn);
$rows = mysql_num_rows($query);
if($rows == 1)
{
//echo $username.'<br>';
//echo $password.'<br>';
//echo '<br>'. "correct user name and password";
$_SESSION['name'] = $name;
header("location: C:\xampp\htdocs\inventory\menu.php");
//echo "<script> window.open('C:/xampp/htdocs/inventory/menu.php','_self'); </script>";
}
else
{
//echo '<br>'. "incorrect user name and password";
echo "<script>
alert('اسم المستخدم أو كلمة السر غير صحيحة');
</script>
";}}}
mysql_close($conn);
?>
Any suggestions about what might be wrong?
I trying to get work my new login system, I made a simple password with and put hashed pass to my MySQL table with the next code
makepass.php
<?php
$password = "testpass";
$hash = password_hash($password, PASSWORD_DEFAULT);
echo $hash;
?>
dologin.php
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
include('includes/functions.php');
session_start();
if(isset($_POST['login'])) {
if(isset($_POST['username'])) {
if(isset($_POST['password'])) {
$username = $_POST['username'];
$dbconn = mysqli_query($query, "SELECT * FROM cm_users WHERE Username = '$username'") or die(mysqli_error($query));
foreach ($dbconn as $user) {
if (password_verify($_POST['password'], $user['Password'])) {
$_SESSION['user'] = $user['Username'];
} else {
echo 'Invalid password!';
}
}
} else {
echo 'Invalid username!';
}
}
}
?>
So i tried to login with "testpass" and whoala: invalid password!
Any idea? Afaik its should be okay, i dont see any syntax or other problem.
You shouldn't be a foreach for this, but first to query, fetch the array (which you're not using) and then comparing that to the row's password.
Sidenote: Replace the ("xxx", "xxx", "xxx", "xxx") with your own credentials. However, using $query isn't a word you should use as a connection variable, because it is quite confusing.
(Even I was confused when writing my answer). Use $connection or $conn and I have changed them here, so please use that instead.
$conn = new mysqli("xxx", "xxx", "xxx", "xxx");
if ($conn->connect_error) {
die('Connect Error (' . $conn->connect_errno . ') '
. $conn->connect_error);
}
if(isset($_POST['login'])) {
$username = $_POST['username']; // you could use a conditional !empty() here
$password = $_POST['password']; // here also
$query = "SELECT * FROM cm_users WHERE Username = '".$conn->real_escape_string($username)."';";
$result = $conn->query($query);
// error checking on the query
if (!$result) {
echo "<p>There was an error in query: $query</p>";
echo $conn->error;
}
$row_hash = $result->fetch_array();
if (password_verify($password, $row_hash['Password'])) {
echo "Welcome!";
}
else{
echo "Invalid";
}
}
You can then add the other goodies after, once you've had success.
Sidenote: Make absolutely sure that your POST arrays do hold values and contain no whitespaces. If there are, use trim().
I.e.:
$username = trim($_POST['username']);
$password = trim($_POST['password']);
Check for errors on your query also:
http://php.net/manual/en/mysqli.error.php
And error reporting:
http://php.net/manual/en/function.error-reporting.php
$dbconn = mysqli_query($query, "SELECT * FROM cm_users WHERE Username = '$username'") or die(mysqli_error($query));
should look more like
$userQuery = mysqli_query($variableToConnectToDatabase, "SELECT * FROM cm_users WHERE Username = '$username' AND Password='$password' LIMIT 1 ")
Not sure what your main goal is. Did you want the user to be able to put in their own password, or is the password supposed to be constant?
Try Edit dologin.php to this.....
<?php
session_start();
error_reporting(E_ALL);
ini_set('display_errors', 1);
include('includes/functions.php');
if(isset($_POST['login'])) {
if(isset($_POST['username'])) {
if(isset($_POST['password'])) {
$username = $_POST['username'];
$hash = password_hash($_POST['password'], PASSWORD_DEFAULT);
$dbconn = mysqli_query($query, "SELECT * FROM cm_users WHERE Username = '$username'") or die(mysqli_error($query));
foreach ($dbconn as $user) {
if ($hash == $user['Password']) {
$_SESSION['user'] = $user['Username'];
} else {
echo 'Invalid password!';
}
}
} else {
echo 'Invalid username!';
}
}
}
?>
I want to know the error on this php coding, just wondering where is the mistake in this coding I skipped html part for page input design as I want to know the php part only,
, Im trying to use this for users to enter the username and password to login to the website and this particular website should be password protected password
<?php>
if isset($_POST=['submit']));
{
$inputuser = $_POST['user'];
$inputpass = $_POST['pass'];
$user = "root";
$password = "";
$database = "Tutorial";
$connect = mysql_connect("localhost",$user,$password);
#mysql_select_db($database) or ("database not found");
$query = " SELECT * FROM 'users' WHERE 'user' = i $inputuser";//for query specific data
$querypass = "SELECT * FROM 'users' WHERE 'user' = $ i $inputpass'";
$result = mysql_query($query);
$resultpass = mysql_query($querypass);
$row = mysql_fetch_array($result);
$rowpass = mysql_fetch_array($resultpass);
$serveruser = $row["user"];
$serverpass = $row["password"];
if($serveruser&&$serverpass){
if (!$result) {
die("username and password is invalid");
}
echo "<br> <center>database output</b></center><br><br>";
mysql_close();
echo $inputpass;
echo $serverpass;
if ($inputpass == $serverpass) {
header('location: Home.php');
} else {
header('location: fail.php');
}
}
try this way:
$query="SELECT * FROM users WHERE user='" . mysql_real_escape_string( $inputuser ) . "' AND psw='" . mysql_real_escape_string( $inputpsw ) . "'";
$qr=mysql_query($query) or die (mysql_error());
if(mysql_num_rows($qr)>0) //admitting that usernames and psw are unique
{
//success
header('location:home.php');
}
else //no rows=no username responding to $inputusername
{
header('location:fail.php');
}
i tried to put username & password dynamically but
It doesnt work with stored username & password in DB and stays on same page....
really depressed.
<?php include "../db/db_connection.php";
$username = $_POST['txt_username'];
$pwd =$_POST["txt_pwd"];
if(empty($username) || $username == ""){
header("location:index.php?err_msg=1");
exit;
}
if(empty($pwd) || $pwd == ""){
header("location:index.php?err_msg=2");
exit;
}
$sql = "SELECT username,password FROM users WHERE username= '$username' and password= '$pwd'";
$result = mysqli_query($con,$sql);
if(mysqli_num_rows($result)==1){
header("location:dashboard.php");
}
else{
header("location:index.php?err_msg=3");
}
if($_REQUEST['txt_username'] == $username && $_REQUEST['txt_pwd'] == $pwd){
$_SESSION['txt_username'];
$_SESSION['txt_pwd'];
header("Location:dashboard.php");
}
else{
header("Location:index.php");
}
?>`
Those lines doesn't nothing..
$_SESSION['txt_username'];
$_SESSION['txt_pwd'];
maybe:
$_SESSION['txt_username'] = $user;
$_SESSION['txt_pwd'] = ...;
?
You can try this, I am not sure if this is exactly what you are looking for...
<?php session_start();
$username = $_POST['txt_username'];
$pwd =$_POST["txt_pwd"];
if(empty($username) || $username == ""){
header("location:index.php?err_msg=1");
exit;
}
if(empty($pwd) || $pwd == ""){
header("location:index.php?err_msg=2");
exit;
}
$sql = "SELECT username,password FROM users WHERE username= '$username' and password= '$pwd'";
$result = mysqli_query($con,$sql);
if(mysqli_num_rows($result)==1){
$_SESSION['txt_username'] = $username;
$_SESSION['txt_pwd'] = $pwd;
header("location:dashboard.php");
}
else{
header("location:index.php?err_msg=3");
}
header("Location:index.php"); // if it stays on the same page remove this line
?>
I restructured your code to look more clean.
Also I suggest you to avoid using mysql and start using mysqli (or PDO) to avoid SQL injection attacks.
<?php session_start();
if(isset($_SESSION['txt_username']) && !empty($_SESSION['txt_username'])) {
//If we enter here the user has already logged in
header("Location:dashboard.php");
exit;
}
if(!isset($_POST['txt_username'])) {
header("location:index.php?err_msg=1");
exit;
}
else if(!isset($_POST["txt_pwd"])) {
header("location:index.php?err_msg=2");
exit;
}
$username = $_POST['txt_username'];
$pwd = $_POST["txt_pwd"];
//We use MYSQL with prepared statements BECAUSE MYSQL IS DEPRECATED
$mysqli = new mysqli('localhost', 'my_bd_user', 'mi_bd_password', 'my_bd');
$sql = "SELECT 1 FROM users WHERE username= ? and password = ?";
$stmt = $mysql->prepare($sql);
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$stmt->bind_result($result);
$stmt->fetch();
if(!empty($result)) {
//IF we enter here user exists with that username and password
$_SESSION['txt_username'] = $username;
header("location:dashboard.php");
exit;
}
else{
header("location:index.php?err_msg=3");
}
Try it.
I checked your code and found everything is correct .I wold like you to add connection file on this.
Like
$username = "root";
$password = "password";//your db password
$hostname = "localhost";
//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password)
or die("Unable to connect to MySQL");
//select a database to work with
$selected = mysql_select_db("db name",$dbhandle)
or die("Could not select Database");
Thanks
Try below code :
i have reviewed and changed your code :
<?php session_start();
mysqli_connect("locahost","username","password");
mysqli_select_db("database_name");
$username = trim($_POST['txt_username']);
$pwd = trim($_POST["txt_pwd"]);
if($username == ''){
header("location:index.php?err_msg=1");
exit;
}
if($pwd == ""){
header("location:index.php?err_msg=2");
exit;
}
$sql = "SELECT `username`,`password` FROM users WHERE `username`= '".$username."' and password= '".$pwd."'";
$result = mysqli_query($sql);
if(mysqli_num_rows($result)>0){
$_SESSION['txt_username'] = $username;
$_SESSION['txt_pwd'] = $pwd;
header("location:dashboard.php");
}
else{
header("location:index.php?err_msg=3");
}
?>