I am trying to display an error message in php ( $error="Username or Password is invalid";
) when the username or password is not in the database. But without even running the code(clicking login in index.php the error message is displaying. Thanks :)
<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
}
if (isset($_POST['submit'])) {
// Define $username and $password
$name=$_POST['username'];
$pass=$_POST['password'];
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "company";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT id, username, password FROM login";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
//echo "id: " . $row["id"]. " - Name: " . $row["username"]. " " . $row["password"]. "<br>";
if($name==$row["username"] && $pass== $row["password"]){
header("location: profile.php"); // Redirecting To Other Page
}else{
$error="Username or Password is invalid";
}
}
}
else {
echo "Server is down";
}
$conn->close();
}
?>
My index.php
<?php
include('../php/login.php'); // Includes Login Script
if(isset($_SESSION['login_user'])){
header("location: ../php/profile.php");
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login Form in PHP with Session</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="main">
<h1>PHP Login Session Example</h1>
<div id="login">
<h2>Login Form</h2>
<form action="" method="post">
<label>UserName :</label>
<input id="name" name="username" placeholder="username" type="text">
<label>Password :</label>
<input id="password" name="password" placeholder="**********" type="password">
<input name="submit" type="submit" value=" Login ">
<span><?php echo $error; ?></span>
</form>
</div>
</div>
</body>
</html>
I updated your security a little. Make sure you always validate user input. The code below is secure against SQL injections. No way of injection possible! Also HEX attacks are not possible.
<?php
if (!isset($_SESSION)) { session_start(); }
$db_host = "localhost";
$db_user = "root";
$db_pass = "root";
$db_name = "company";
$conn = new mysqli($db_host, $db_user, $db_pass, $db_name);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$errmessage = $error = '';
function checkUsername($data) {
if (preg_match('/[^A-Za-z0-9.]{8,50}/', $data)) { // A-Z, a-z, 0-9, . (dot), min-length: 8, max-length: 50
$data = false;
}
return $data;
}
function checkPassword($data) {
if(!preg_match('/^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z!##$%]{8,50}$/', $data)) { // A-Z, a-z, 0-9, !, #, #, $, %, min-length: 8, max-length: 50
$data = false;
}
return $data;
}
if (isset($_POST['submit']) && isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (checkUsername($username) === false) {
$error = "Username is not valid!";
exit();
}
if (checkPassword($password) === false) {
$error = "Password is not valid!";
exit();
}
$secure_name = bin2hex(htmlspecialchars($username));
//$secure_pass = hashpassword($securepass); // Hash your passwords!
$secure_pass = bin2hex(htmlspecialchars($password));
$sql = "SELECT * FROM login WHERE username = UNHEX('$username') AND password = UNHEX('$password')";
$result = $conn->query($sql);
if ($result->num_rows == 1) {
session_regenerate_id();
$_SESSION['login_user'] = true;
header("location: profile.php");
} else {
$error = "Username and/or Password is invalid";
}
$conn->close();
} else {
echo "Error";
}
?>
Source for HEX against injection: How can I prevent SQL injection in PHP? (Zaffy's answer)
Extra information:
Do not check only if the session login exist, but check also its value!
if(isset($_SESSION['login_user'])){
header("location: ../php/profile.php");
}
Must be
if (isset($_SESSION['login_user']) && $_SESSION['login_user'] === true){
header("location: ../php/profile.php");
exit();
} else {
// Loginscript
}
The PHP script seems to take ALL username/password pairs from DB
$sql = "SELECT id, username, password FROM login";
Later in while loop first pair not matching with user input would trigger an error message assignment
Related
i already made a sign up form and everything goes well.
Now i'm trying to do login and i don't succeed.
log1.html
<!DOCTYPE html>
<html>
<head>
<title>RegPage</title>
</head>
<body>
<form action ="log2.php" method="post">
email: <input type="text" name ="email">
<br/>
password: <input type="password" name="password">
<input type = "submit" value = "insert">
</form>
</body>
</html>
log2.php
<?php
$servername = "localhost";
$username = "root";
$password = "";
$databasename = "pilot";
$conn = new mysqli($servername, $username, $password,$databasename);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
$email=$_POST['email'];
$password=$_POST['password'];
$comparepass="SELECT password FROM dbinvestor where email=#email";
if ($comparepass==$password)
{
echo 'logged in !';
}
else
{
echo ' oops';
}
header ("refresh:10;url=log1.html");
?>
DB:
DB image
no matter what i instert in textbox the output is alway :
connect successfully oops
Why it always "go" to the else also if the password and email are correct ?
You are defining a SQL query but you don’t actually run it against your database...
$comparepass="SELECT password FROM dbinvestor where email=#email";
if ($comparepass==$password)
{
echo 'logged in !';
}
You need to execute the query and fetch the result to compare it with the posted value. Here is bit of code that demonstrates how to proceed, using bind parameters (disclaimer : you seem to be storing clear password in database... just don’t).
$sql="SELECT 1 FROM dbinvestor where email=? and password=?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("ss", $email, $password);
$stmt->execute();
$result = $stmt->get_result();
if (!$result) {
echo 'error: ' . $conn->errno . ' - ' . $conn->error)
} else {
if ($result->num_rows == 1) {
echo 'logged in !';
} else {
echo ' oops';
}
}
You can try this :
$comparepass="SELECT * FROM dbinvestor where email='$email' and password='$password'";
$compare_exe=$this->conn()->query($comparepass); //use your db link
$num_rows=$compare_exe->num_rows; //get row counter, if exist will return 1 else 0
if($num_rows>0){
echo 'logged in !';
}else{
echo 'opps';
}
I've been trying to create a login form for my website but the form seems unable to connect to the table or retrieve info from it. I even tried obtaining some sample code online, but it is still not being able to connect. Here's the code:
session_start();
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "Username or Password is empty";
} else {
$username=$_POST['username'];
$password=$_POST['password'];
$connection = mysqli_connect("localhost", "user", "pass");
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($username);
$password = mysqli_real_escape_string($password);
$db = mysqli_select_db($connection, "cpses_company");
$query = mysqli_query("select * from login where password='$password' AND username='$username'", $connection);
$rows = mysqli_num_rows($query);
if ($rows == 1) {
$_SESSION['login_user']=$username;
header("location: profile.php");
} else {
$error = "Username or Password is invalid";
}
mysqli_close($connection);
}
}
No matter what values I insert, I keep getting the error code "Username or Password is invalid". The table does contain values and I get this error even when I am inserting the values correctly. I am assuming that it is unable to connect to the database or the table. Any ideas?
edit: HTML (index.php)
<?php
include('login.php'); // Includes Login Script
if(isset($_SESSION['login_user']))
{
header("location: profile.php");
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login Form in PHP with Session</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="main">
<h1>PHP Login Session Example</h1>
<div id="login">
<h2>Login Form</h2>
<form action="" method="post">
<label>UserName :</label>
<input id="name" name="username" placeholder="username" type="text">
<label>Password :</label>
<input id="password" name="password" placeholder="**********" type="password">
<input name="submit" type="submit" value=" Login ">
<span><?php echo $error; ?></span>
</form>
</div>
</div>
</body>
</html>
The problem exist here:-
$query = mysqli_query("select * from login where password='$password' AND username='$username'", $connection);
You need make $connection as first parameter like this:-
$query = mysqli_query($connection,"select * from login where password='$password' AND username='$username'");
Note:- try always to use mysql error reporting so that you will get rid of the problem like you are facing. for that you need to do like below very simple:-
$query = mysqli_query($connection,"select * from login where password='$password' AND username='$username'")or die(mysqli_error($connection));
Some other issue are there, so for your help, Please try like this:-
<?php
session_start();
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "Username or Password is empty";
} else {
//$username=$_POST['username'];
//$password=$_POST['password'];
$connection = mysqli_connect("localhost", "user", "pass","cpses_company"); // direct give db name here
// remove that two line what i said in comment also
$username = mysqli_real_escape_string($connection,$_POST['username']);
$password = mysqli_real_escape_string($connection,$_POST['password']);
$query = mysqli_query($connection,"select * from login where password='$password' AND username='$username'") or die(mysqli_error($connection));
//$rows = mysqli_num_rows($query);//comment this line
if ($query->num_rows > 0) {
$_SESSION['login_user']=$username;
header("location: profile.php");
exit;
} else {
$error = "Username or Password is invalid";
}
mysqli_close($connection);
}
}
?>
As mysqli_query need paramater like this:-
mysqli_query ( mysqli $link , string $query [, int $resultmode = MYSQLI_STORE_RESULT ] )
Read mysqli_query
So your mysqli_query would be:-
First parameter connection then query
$query = mysqli_query($connection,"select * from login where password='$password' AND username='$username'");
UPDATED
<?php
session_start();
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "Username or Password is empty";
} else {
$username=$_POST['username'];
$password=$_POST['password'];
$connection = mysqli_connect("localhost", "user", "pass","cpses_company"); // direct give db name here
// remove that two line what i said in comment also
$username = mysqli_real_escape_string($connection,$username);
$password = mysqli_real_escape_string($connection,$password);
$query = mysqli_query($connection,"select * from login where password='$password' AND username='$username'") or die(mysqli_error($connection));
//$rows = mysqli_num_rows($query);//comment this line
if ($query->num_rows > 0) {
$_SESSION['login_user']=$username;
header("location: profile.php");
} else {
$error = "Username or Password is invalid";
}
mysqli_close($connection);
}
}
?>
Attempting to create a 'Change Password' page for my website, I keep being confronted with these two errors and I can't seem to understand why they are appearing;
Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /home/ll12rth/public_html/COMM2735/database/password.php on line 51
Warning: mysqli_free_result() expects parameter 1 to be mysqli_result, boolean given in /home/ll12rth/public_html/COMM2735/database/password.php on line 139
<?php
session_start();
$db_hostname = 'localhost';
$db_database = "****"; //replace with your db name
$db_username = "****"; //replace with the db username that you created
$db_password = "****"; //replace with the db password that you created
$db_status = 'not initialised';
$db_server = mysqli_connect($db_hostname, $db_username, $db_password);
$db_status = "connected";
if (!$db_server) {
die("Unable to connect to MySQL: " . mysqli_connect_error());
$db_status = "not connected";
} else
require_once('checklog.php');
require_once("functions.php");
// Grab the form data
$username = trim($_POST['username']);
$password = trim($_POST['password']);
$newpassword = trim($_POST['newpassword']);
$repeatpassword = trim($_POST['repeatpassword']);
if (isset($_POST['submit'])) {
if ($username && $password) {
$username = clean_string($db_server, $username);
$password = clean_string($db_server, $password);
$query = "SELECT * FROM users WHERE username='$username'";
$result = mysqli_query($db_server, $query);
if ($row = mysqli_fetch_array($result)) {
$db_username = $row['username'];
$db_password = $row['password'];
if ($username == $db_username && salt($password) == $db_password) {
$_SESSION['username'] = $username;
$_SESSION['logged'] = "logged";
// header('Location: home.php');
// PASSWORD CHANGING IS DONE HERE
if ($newpassword == $repeatpassword) {
//From register
if (strlen($newpassword) > 25 || strlen($newpassword) < 6) {
$message = "Password must be 6-25 characters long";
} else {
//part 8
// Process details here
//include file to do db connect
if ($db_server) {
//clean the input now that we have a db connection
$newpassword = clean_string($db_server, $newpassword);
$repeatpassword = clean_string($db_server, $repeatpassword);
mysqli_select_db($db_server, $db_database);
// check whether username exists
$query = "SELECT password FROM users WHERE password='$newpassword'";
$result=mysqli_query($db_server, $query);
if ($row = mysqli_fetch_array($result)){
$message = "This is your current password. Please try again.";
} else {
//part 9
// Process further here
$newpassword = salt($newpassword);
$query = "INSERT INTO users (password) VALUES
('$password')";
mysqli_query($db_server, $query) or die("Insert failed. " . mysqli_error($db_server));
$message = "<h1>Your password has been changed!</h1>";
}
mysqli_free_result($result);
} else {
$message = "Error: could not connect to the database.";
}
require_once("php/db_close.php"); //include file to do db close
}
}
//This code appears if passwords dont match
else {
$message = "<h1>Your new passwords do not match! Try again.</h1>";
}
} else {
$message = "<h1>Incorrect password!</h1>";
}
} else {
$message = "<h1>That user does not exist!</h1>" . "Please <a href='password.php'>try again</a>";
}
mysqli_free_result($result);
//Close connection!
mysqli_close($db_server);
} else {
$message = "<h1>Please enter a valid username/password</h1>";
}
}
?>
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Techothing password</title>
<div class="aboutcontainer">
<h1>What do you want to change your password to <?php
echo $_SESSION['username'];
?>?</h1>
<form action='password.php' method='POST'>
Current Username: <input type='text' name='username'><br />
Current Password: <input type='password' name='password'><br />
New Password: <input type='password' name='newpassword'><br />
Repeat New Password: <input type='password' name='repeatpassword'><br />
<input type='submit' name='submit' value='Confirm'>
<input name='reset' type='reset' value='Reset'>
</form>
<?php
echo $message
?>
<br />
</div>
</div>
</div>
</div>
</body>
</html>
</body>
</html>
This line
$result = mysqli_query($db_server, $query);
returns either a result object, or, if the query fails for some reason, returns false.
Most people developing this kind of code, especially when we're new to it, check these errors. You could do that roughly like this.
if ( false === $result ) {
printf("Errormessage: %s\n", msqli_error($db_server));
}
Im trying to allow users that are on the database to log in if their credentials are present, problem is, whenever I enter details into the login screen, it will always return Invalid Login Credentials, regardless of whether or not the name/password is on the database.
Here is what I'm working with:
loginSubmit.php
<?php
//begin our session
session_start();
//Check the username and password have been submitted
if(!isset( $_POST['Username'], $_POST['Password']))
{
$message = 'Please enter a valid username and password';
}
else
{
//Enter the valid data into the database
$username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);
//Encrypt the password
$password = sha1($password);
//Connect to the database
$SQLusername = "root";
$SQLpassword = "";
$SQLhostname = "localhost";
$databaseName = "jfitness";
try
{
//connection to the database
$dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword)
or die("Unable to connect to MySQL");
echo "Connected to MySQL<br>";
//select a database to work with
$selected = mysql_select_db($databaseName, $dbhandle)
or die("Could not select database");
$query = "SELECT * FROM
customers WHERE name =
('$_POST[Username]' AND password = '$_POST[Password]')";
$result = mysql_query($query) or die(mysql_error());
$count = mysql_num_rows($result);
if($count == 1)
{
$_SESSION['username'] = $username;
}
else
{
echo "Invalid Login Credentials";
}
if(isset($_SESSION['username']))
{
$username = $_SESSION['username'];
echo "Hello " . $username;
}
}
catch(Exception $e)
{
$message = 'We are unable to process your request. Please try again later"';
}
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
</body>
</html>
Login.php
<html>
<head>
<title>Login</title>
</head>
<body>
<h2>Login Here</h2>
<form action="loginSubmit.php" method="post">
<fieldset>
<p> <label for="Username">Username</label>
<input type="text" id="Username" name="Username" value="" maxlength="20" />
</p>
<p>
<label for="Password">Password</label>
<input type="text" id="Password" name="Password" value="" maxlength="20" />
</p>
<p>
<input type="submit" value="Login" />
</p>
</fieldset>
</form>
</body>
</html>
AddUser
//Enter the valid data into the database
$username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);
//Encrypt the password
$password = sha1($password);
//Connect to the database
$SQLusername = "root";
$SQLpassword = "";
$SQLhostname = "localhost";
$databaseName = "jfitness";
try
{
//connection to the database
$dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword)
or die("Unable to connect to MySQL");
echo "Connected to MySQL<br>";
//select a database to work with
$selected = mysql_select_db($databaseName, $dbhandle)
or die("Could not select database");
$sql = "INSERT INTO
customers (name, password)
VALUES
('$_POST[Username]','$_POST[Password]')";
if(!mysql_query($sql, $dbhandle))
{
die('Error: ' . mysql_error());
}
//Unset the form token session variable
unset( $_SESSION['formToken'] );
echo "1 record added";
//close the connection
mysql_close($dbhandle);
}
catch (Exception $ex)
{
if($ex->getCode() == 23000)
{
$message = 'Username already exists';
}
else
{
$message = 'We are unable to process your request. Please try again later"';
}
It might be because of this, the way you have the brackets.
-Please see my notes about using prepared statements and password_hash() below.
SELECT * FROM customers
WHERE name = ('$_POST[Username]'
AND password = '$_POST[Password]')
Change it to:
SELECT * FROM customers
WHERE name = '$username'
AND password = '$password'
and for testing purposes, try removing
$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);
that could be affecting / rejecting characters. Make sure there is no white space also.
Also changing if($count == 1) to if($count > 0)
or replacing $count = mysql_num_rows($result); if($count == 1) { with if(mysql_num_rows($result) > 0){
Your password is not being hashed
After testing your Adduser code, I noticed is that your hashed password isn't being stored as a hash.
Change ('$_POST[Username]','$_POST[Password]') in your Adduser page to ('$username','$password').
I suggest you move to mysqli with prepared statements, or PDO with prepared statements, they're much safer.
As it stands, your present code is open to SQL injection.
Here is a good site using PDO with prepared statements and password_hash().
http://daveismyname.com/login-and-registration-system-with-php-bp
See also:
CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.
Try this mate
$query = "select * from customer where name = '" .$username ."' and password = '" .$password ."'";
//use the SANITIZED data
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
if($row) {
$_SESSION['name'] = $row['name'];
$_SESSION['password'] = $row['password'];
}
else { //not found
header('Location: go back.php?error=2');
}
echo "Hello " . $username;
I am trying to create a password change page for a website I am attempting to make. However when the user enters in the information to the form it sends me to a blank page. In other words my php code is not even executing and I am not sure why. I have tried it a few different ways but I am not entirely sure whats going on. This is my first time making a settings page or website in general so maybe its a simple mistake or I'm going about it all wrong. Here is my php code.
<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>
</head>
<body>
<?php
$db_server = "server";
$db_username = "name";
$db_password = "pass";
$con = mysql_connect($db_server, $db_username, $db_password);
if (!$con) {
die('Could not connect: ' . mysql_error());
}
$database = "Account_Holder";
$er = mysql_select_db($db_username);
if (!$er) {
print ("Error - Could not select the database");
exit;
}
$username = $_P0ST['username'];
$cur_password = $_POST['cur_password'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
// Check for an existing password.
if (isset($_POST['cur_password']))
{
$pass = FALSE;
print('<p>You forgot to enter your existing password!</p>');
}
else {
$pass = escape_data($_POST['cur_password']);
}
// Check for a password and match against the confirmed password.
if (empty($_POST['password']))
{
$newpass = FALSE;
print('<p>You forgot to enter your new password!</p>');
}
else
{
if ($_POST['password'] == $_POST['password2']) {
$newpass = escape_data($_POST['password']);
}
else
{
$newpass = FALSE;
$message .= '<p>Your new password did not match the confirmed new password!</p>';
}
if ($pass && $newpass) { // If checking passes
$query = "SELECT * FROM Account_Holder WHERE password='$pass')";
$result = mysql_query($query);
$num = mysql_num_rows($result);
if ($num == 1) {
$row = mysql_fetch_array($result);
// Make the query.
$query = ("UPDATE Account_Holder SET password='$newpass' WHERE username=$username");
$result = mysql_query($query); // Run the query.
if (mysql_affected_rows() == 1) { // If it ran OK.
echo '<p><b>Your password has been changed.</b></p>';
}
else
{ // If query failed.
print('<p>Your password was not changed.</p><p>' . mysql_error() . '</p>');
}
} else
{
print('<p>Your username and password did not match any in the database.</p>');
}
}
else
{
print('<p>Please try again.</p>');
}
}
?>
</body>
</html>
<!--
I also did it this way and all the validations work and it says the password was updated but it does not change in the database. Is something wrong with my sql?
-->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Change Password Confrim</title>
</head>
<body>
<?php
$db_server = "server";
$db_username = "name";
$db_password = "pass";
$con = mysql_connect($db_server, $db_username, $db_password);if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$database = "Account_Holder";
$er = mysql_select_db($db_username);
if (!$er)
{
print ("Error - Could not select the database");
exit;
}
//include "include/session.php";
// check the login details of the user and stop execution if not logged in
//require "check.php";
//////////Collect the form data ////////////////////
$username =$_P0ST['username'];
$todo=$_POST['todo'];
$password=$_POST['password'];
$password2=$_POST['password2'];
/////////////////////////
if(isset($todo) and $todo=="change-password"){
$password = mysql_real_escape_string($password);
$password2 = mysql_real_escape_string($password2);
//Setting flags for checking
$status = "OK";
$msg="";
//Checking to see if password is at least 3 char max 8
if ( strlen($password) < 3 or strlen($password) > 8 )
{
$msg=$msg."Password must be more than 3 char legth and maximum 8 char lenght<br/>";
$status= "NOTOK";
}
//Checking to see if both passwords match
if ( $password <> $password2 )
{
$msg=$msg."Both passwords are not matching<br/>";
$status= "NOTOK";
}
if($status<>"OK")
{
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}
else
{ // if all validations are passed.
if(mysql_query("UPDATE Account_Holder SET password='$password' WHERE username='$username'"))
{
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully.</font></center>";
}
else
{
echo "<font face='Verdana' size='2' color=red><center>Sorry <br> Failed to change password.</font></center>";
}
}
}
//require "bottom.php";
?>
<center>
<br><br><a href='Settings.html'>Settings Page</a></center>
</body>
</html>
I wish I could just leave a comment. But no.
You have a lot of errors in your code such as this
$username = $_P0ST['username'];
Im guessing error reporting is turned off on the page, so you don't see the syntax errors, and you just get a blank page.
Turn on errors. This may work.
error_reporting(E_ALL);
A few comments:
$er = mysql_select_db($db_username);
This is the wrong variable.
$username = $_P0ST['username'];
A zero instead of a letter O.
$query = "SELECT * FROM Account_Holder WHERE password='$pass')";
and
$query = ("UPDATE Account_Holder SET password='$newpass' WHERE username=$username");
Can you say "SQL injection"? Also, missing quotes around the username value.
As mentioned by Adam Meyer above, you appear to have error reporting off. Either that, or you have output buffering somewhere and yet another syntax error in there.