I tried to create a login page in PHP. I have a problem with opening the new page when the username and password are correct.
All the pages are in the same directory, which is Inventory.
Here is the code:
<?
$serverName ="localhost";
$dbname="inventory";
$conn = mysql_connect($serverName,"root","");
if(!$conn) die("Connection error". mysql_connect_error());
else echo "connected successfully";
if(isset($_POST['login'])){
if(empty($_POST['username']) || empty($_POST['password']))
echo "<script>
alert('يجب إدخال إسم المستخدم و كلمة السر';);
</script>";
else
{
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$db = mysql_select_db($dbname,$conn) or die("database connection error" . mysql_error());
$query = mysql_query("select * from users where username = '$username' AND password = '$password'", $conn);
$name = mysql_query("select name from users where username = '$username' AND password = '$password'", $conn);
$rows = mysql_num_rows($query);
if($rows == 1)
{
//echo $username.'<br>';
//echo $password.'<br>';
//echo '<br>'. "correct user name and password";
$_SESSION['name'] = $name;
header("location: C:\xampp\htdocs\inventory\menu.php");
//echo "<script> window.open('C:/xampp/htdocs/inventory/menu.php','_self'); </script>";
}
else
{
//echo '<br>'. "incorrect user name and password";
echo "<script>
alert('اسم المستخدم أو كلمة السر غير صحيحة');
</script>
";}}}
mysql_close($conn);
?>
Any suggestions about what might be wrong?
Related
This is my code
<?php
$con = mysqli_connect("localhost","root","","system_database");
if(isset($_POST['Submit'])){
$Username = trim($_POST['Username']);
$password = trim($_POST['password']);
// encrypt password before submiting it
$password_encrypted = crypt($password, 'is'); // "is" is the salt
$sql = "SELECT * FROM register WHERE Username = '$Username' AND password='$password_encrypted'";
$query = $con -> query($sql);
$result = mysqli_num_rows($query);
if($result == true){
header ("location: report.php");
} else {
echo "username or password wrong";
}
}
?>
add like this
<?php
$con = mysqli_connect("localhost","root","","system_database");
if(isset($_POST['Submit'])){
$Username = trim($_POST['Username']);
$password = trim($_POST['password']);
if(!empty($Username) && !empty($password)){
$Username = mysqli_real_escape_string($con,$Username);
$password = mysqli_real_escape_string($con,$password);
// encrypt password before submiting it
$password_encrypted = crypt($password, 'is'); // "is" is the salt
$sql = "SELECT * FROM register WHERE Username = '{$Username}' AND password='{$password_encrypted}'";
if($result = mysqli_query($con,$sql)){
if(mysqli_num_rows($result) > 0){
mysqli_free_result($result);
header("Location: report.php");
}else{
echo "username or password wrong";
}
}
}else{
echo "username or password not found";
}
}
?>
As part of my project i created a log in program. i already have a create account page from which the data is going in to the database tables successfully. But my log in program is not working. Below is my code.
<?php
$db = mysql_connect('localhost','root','','childrenparty');
if(!$db){die('could not connect:'.mysql_error());}
echo'connected successfully';
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username ='".$username."'' AND
Password='".$password."' LIMIT 1";
$result = mysql_query($sql);
echo $sql;
if(mysql_num_rows($result) == 1)
{
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
}
else {
echo "<script> alert('Invalid Username and/or Password')</script>";
exit();
}
}
mysql_close($db);
?>
so the problem is it always shows invalid username and password when i try to sign in. please help
You have a error in sql query, an extra ':
$sql = "SELECT * FROM clientinfo WHERE Username ='" . $username . "' AND
Password='" . $password . "' LIMIT 1";
But there are more dangerous problems in this code:
mysql_* are deprecated in PHP 5.5 and removed in PHP 7, so you'd better use mysqli or PDO functions and prepared statements.
Password is stored unencrypted and this is a huge vulnerability
I'll add an example with prepared statements, to prevent SQL Injection:
<?php
$db = new mysqli('localhost', 'root', '', 'childrenparty');
if ($db->connect_errno) {
echo 'Failed to connect to MySQL: (' . $db->connect_errno . ') ' . $db->connect_error;
}else{
echo 'Connected successfully';
}
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = $db->escape_string($username);
$password = $db->escape_string($password);
$query = $db->prepare('SELECT * FROM clientinfo WHERE Username=? AND Password=? LIMIT 1');
$query->bind_param('ss', $username, $password);
$query->execute();
$result = $query->get_result()->fetch_row();
if (null !== $result) {
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
}
echo "<script> alert('Invalid Username and/or Password')</script>";
exit();
}
$db->close();
Hi i have made some changes to your code. This should definetly work. If not the problem is withing the $_POST variable names that you have set. Also double check the Sql query to check if they are the same as the database names. I assume you are just learning to code so its fine but mysql is deprecated now , so try to use mysqli functions.
For further reference check out http://php.net/manual/en/book.mysqli.php
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username = '$username' AND
Password = '$password' LIMIT 1";
$result = mysql_query($sql);
if(mysql_num_rows($result) == 1)
{
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
}
else {
echo "<script> alert('Invalid Username and/or Password')</script>";
}
}
<?php
$db = mysql_connect('localhost','root','','childrenparty');
if(!$db){die('could not connect:'.mysql_error());}
echo'connected successfully';
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username ='$username' AND
Password='$password'";
mysql_select_db('childrenparty');
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count == 1) {
echo "<script> alert('You Have Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
} else {
echo "<script> alert('Invalid Username and/or Password')</script>";
}
}
mysql_close($db);
?>
this one worked.thanks guys for the reply.
I'm making a PHP login and it was working before, but I tried to make the username feature case insensitive and the code hasn't worked since. I deleted all of the stuff I added to try and make it case insensitive i.e.strtolower().All that displays on the page is "Please enter a username and password." but I have an html file that is supposed to pop up and dispay the login. Here is the code (I took out the personal database info in the mysql connect area):
<?php
session_start();
$username = $_POST["username"];
$password = $_POST["password"];
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
else
echo "Incorrect Password";
}
else
die("Username does not exist");
}
else
die("Please enter a username and password.");
?>
I have put mysql_real_escape_string() around your post values to prevent sql injection
Also mysqli is the latest way to connect to mysql database but i have not added that to your code:
session_start();
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login");
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
}
else {
echo "Incorrect Password";
}
}
I am trying to compare my login password with database md5 password but not able to do it.I have also made my login password using md5 but still the problem occour.. please help me out i am new in PHP.
$username = $_POST['username'];
$password = $_POST['password'];
$pass =md5($password);
if ($username&&$password)
{
$connect = mysqli_connect("localhost", "root", "pixster")or die("Couldn't connect to database!");
mysqli_select_db($connect,'rdb') or die ("Couldn't find database");
echo "successfully connected to database<br>";
$query = mysqli_query($connect,"SELECT * FROM login WHERE uname ='$username'");
$numrows=mysqli_num_rows($query);
if($numrows!==0)
{
while($row = mysqli_fetch_assoc($query))
{
$dbusername = $row['uname'];
$dbpassword = $row['password'];
$dbusername;
$dbpassword;
}
if($username==$dbusername&& $pass==$dbpassword)
{
include('logprofile.php');
echo "you are logged in!";
//$_SESSION['abc'] = $username;
}else
echo "your password is wrong";
Please try if($numrows!=0) instead of if($numrows!==0)
Try this:
$username = $_POST['username'];
$password = $_POST['password'];
$pass =md5($password);
if ($username&&$password)
{
$connect = mysqli_connect("localhost", "root", "pixster")or die("Couldn't connect to database!");
mysqli_select_db($connect,'rdb') or die ("Couldn't find database");
echo "successfully connected to database<br>";
$query = mysqli_query($connect,"SELECT * FROM login WHERE uname ='$username'");
$numrows=mysqli_num_rows($query);
if($numrows > 0)
{
while($row = mysqli_fetch_assoc($query))
{
$dbusername = $row['uname'];
$dbpassword = $row['password'];
}
if($username==$dbusername && $pass==$dbpassword)
{
include('logprofile.php');
echo "you are logged in!";
//$_SESSION['abc'] = $username;
}else
echo "your password is wrong";
Try this...
while($row = mysqli_fetch_assoc($query))
{
$dbusername = $row['uname'];
$dbpassword = $row['password'];
}
Remove following lines in loop:
$dbusername;
$dbpassword;
I got the answer to this question. there was a database problem my password length was short than the md5 converted password.so i just increased the length. and now both the password are matching and i am able to login.
i tried to put username & password dynamically but
It doesnt work with stored username & password in DB and stays on same page....
really depressed.
<?php include "../db/db_connection.php";
$username = $_POST['txt_username'];
$pwd =$_POST["txt_pwd"];
if(empty($username) || $username == ""){
header("location:index.php?err_msg=1");
exit;
}
if(empty($pwd) || $pwd == ""){
header("location:index.php?err_msg=2");
exit;
}
$sql = "SELECT username,password FROM users WHERE username= '$username' and password= '$pwd'";
$result = mysqli_query($con,$sql);
if(mysqli_num_rows($result)==1){
header("location:dashboard.php");
}
else{
header("location:index.php?err_msg=3");
}
if($_REQUEST['txt_username'] == $username && $_REQUEST['txt_pwd'] == $pwd){
$_SESSION['txt_username'];
$_SESSION['txt_pwd'];
header("Location:dashboard.php");
}
else{
header("Location:index.php");
}
?>`
Those lines doesn't nothing..
$_SESSION['txt_username'];
$_SESSION['txt_pwd'];
maybe:
$_SESSION['txt_username'] = $user;
$_SESSION['txt_pwd'] = ...;
?
You can try this, I am not sure if this is exactly what you are looking for...
<?php session_start();
$username = $_POST['txt_username'];
$pwd =$_POST["txt_pwd"];
if(empty($username) || $username == ""){
header("location:index.php?err_msg=1");
exit;
}
if(empty($pwd) || $pwd == ""){
header("location:index.php?err_msg=2");
exit;
}
$sql = "SELECT username,password FROM users WHERE username= '$username' and password= '$pwd'";
$result = mysqli_query($con,$sql);
if(mysqli_num_rows($result)==1){
$_SESSION['txt_username'] = $username;
$_SESSION['txt_pwd'] = $pwd;
header("location:dashboard.php");
}
else{
header("location:index.php?err_msg=3");
}
header("Location:index.php"); // if it stays on the same page remove this line
?>
I restructured your code to look more clean.
Also I suggest you to avoid using mysql and start using mysqli (or PDO) to avoid SQL injection attacks.
<?php session_start();
if(isset($_SESSION['txt_username']) && !empty($_SESSION['txt_username'])) {
//If we enter here the user has already logged in
header("Location:dashboard.php");
exit;
}
if(!isset($_POST['txt_username'])) {
header("location:index.php?err_msg=1");
exit;
}
else if(!isset($_POST["txt_pwd"])) {
header("location:index.php?err_msg=2");
exit;
}
$username = $_POST['txt_username'];
$pwd = $_POST["txt_pwd"];
//We use MYSQL with prepared statements BECAUSE MYSQL IS DEPRECATED
$mysqli = new mysqli('localhost', 'my_bd_user', 'mi_bd_password', 'my_bd');
$sql = "SELECT 1 FROM users WHERE username= ? and password = ?";
$stmt = $mysql->prepare($sql);
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$stmt->bind_result($result);
$stmt->fetch();
if(!empty($result)) {
//IF we enter here user exists with that username and password
$_SESSION['txt_username'] = $username;
header("location:dashboard.php");
exit;
}
else{
header("location:index.php?err_msg=3");
}
Try it.
I checked your code and found everything is correct .I wold like you to add connection file on this.
Like
$username = "root";
$password = "password";//your db password
$hostname = "localhost";
//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password)
or die("Unable to connect to MySQL");
//select a database to work with
$selected = mysql_select_db("db name",$dbhandle)
or die("Could not select Database");
Thanks
Try below code :
i have reviewed and changed your code :
<?php session_start();
mysqli_connect("locahost","username","password");
mysqli_select_db("database_name");
$username = trim($_POST['txt_username']);
$pwd = trim($_POST["txt_pwd"]);
if($username == ''){
header("location:index.php?err_msg=1");
exit;
}
if($pwd == ""){
header("location:index.php?err_msg=2");
exit;
}
$sql = "SELECT `username`,`password` FROM users WHERE `username`= '".$username."' and password= '".$pwd."'";
$result = mysqli_query($sql);
if(mysqli_num_rows($result)>0){
$_SESSION['txt_username'] = $username;
$_SESSION['txt_pwd'] = $pwd;
header("location:dashboard.php");
}
else{
header("location:index.php?err_msg=3");
}
?>