I have created a page with an image slide showing jQuery. I also have a search that that a user can search for a house from a database and this code works find. When I added php code in so that the user is allowed to log in and tried to run it the page comes up blank, why is this?
Here is my code
session_start();
include "connect.php";
if (isset($_POST['username']) and isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = ($con "SELECT * FROM login WHERE username='$username' and password= '$password'");
$result = mysqli_query($query) or die(mysqli_error());
$count = mysqli_num_rows($result);
if ($count == 1){
$_SESSION['username'] = $username;
}else {
echo "Invalid Login Credentials.";
}
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
echo "Hello " . $username . "";
echo "This is the Members Area";
echo "<a href='logout.php'>Logout</a>";
}
?>
Firstly, you're not passing your connection to your query and you have one missing brace.
The one for if (isset($_POST['username']) and isset($_POST['password'])) which should encapsulate your entire PHP.
Sidenote: Using $con as the connection variable's parameter.
<?php
session_start();
include "connect.php";
if (isset($_POST['username']) and isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM login WHERE username='$username' and password='$password'";
$result = mysqli_query($con, $query) or die(mysqli_error());
$count = mysqli_num_rows($result);
if ($count == 1){
$_SESSION['username'] = $username;
}else {
echo "Invalid Login Credentials.";
}
if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
echo "Hello " . $username . "";
echo "This is the Members Area";
}
} // closing brace for if (isset($_POST['username']) and isset($_POST['password']))
echo "<a href='logout.php'>Logout</a>";
?>
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.
I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.
Related
I've set up password_hash in my registration script. Can't figure out how to use password_verify correctly to log into my website.
Screenshot of DB: https://i.imgur.com/hWjRiXN.png
Login Code (says "incorrect login, even when the password is correct):
<?php
require 'db_connect.php';
if (isset($_POST['username']) and isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM `member` WHERE username='$username'";
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);
if (password_verify($_POST['password'],$hashword))
{
echo "Correct login";
}
else
{
echo "incorrect login";
}
}
?>
Registration Code(Works great, no issues with DB connection either):
<?php
require 'db_connect.php';
$email = $_POST['email'];
$username = $_POST['username'];
$password1 = $_POST['password1'];
$password2 = $_POST['password2'];
if($password1 != $password2)
header('Location: registration.html');
if(strlen($username) > 25)
header('Location: registration.html');
$hashword = password_hash($password,PASSWORD_DEFAULT);
$query = "INSERT INTO member ( username, password, email)
VALUES ( '$username', '$hashword', '$email');";
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
mysql_close();
header('Location: login.html');
?>
From your code, it looks like you are not checking the $_POST['password'] with the correct hashword which was inserted into the database.
The variable $hashword will have nothing and hence password_verify fails.
Fetch the value of password which was stored in the database and store it in $hashword variable then use it in the password_verify function for it to work as intended.
Example
$row = mysqli_fetch_assoc($result);
$hashword = $row['password'];
Usage
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);
$row = mysqli_fetch_assoc($result);
$hashword = $row['password'];
if (password_verify($_POST['password'],$hashword))
{
echo "Correct login";
}
else
{
echo "incorrect login";
}
I have a login form. I have in my table of the database two records: admin and user. If you login if admin you must go to admin_area.php. this is not working, he always log in if user.
If you login if user this works.
The first part of the script is not working and don't run.
Can someone help me?
thanks in advance.
<?php
//first part: this is not working
session_start();
//if (isset($_POST['submit'])) {
$a_username = $_POST ['username'];
$a_password = md5( $_POST ['password']);
if($a_username == "admin" && $a_password=="intel")
{
include 'connect.php';
$sqli = "SELECT * FROM users WHERE username='$a_username' AND password='$a_password' ";
$numrows = mysqli_query($link, $sqli) or die(mysqli_error());
$username = 'username';
$password = 'password';
//Add some stripslashes
$username = stripslashes($username);
$password = stripslashes($password);
//Check if username and password is good, if it is it will start session
if ($username == $a_username && $password == $a_password)
{
$_SESSION['username'] = 'true';
$_SESSION['username'] = $username;
//Redirect to admin page
header("Location: admin_area.php");exit();
}
}
//second part: this works
$username = $_POST ['username'];
$password = md5( $_POST ['password']);
if($username&&$password)
{
include 'connect.php';
$query = "SELECT * FROM users WHERE username='$username' AND password='$password' ";
$numrows = mysqli_query($link, $query) or die(mysqli_error());
if ($numrows != 0)
{
/
while ($row = mysqli_fetch_assoc ($numrows))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "you are log in <a href='user.php'>click here for contine</a>, after 4 seconds"; header('Refresh: 4;url=user.php');
$_SESSION ['username'] = $username;
}
else
echo "<h3>incorrect password, <a href='index.php'>click here</a></h3>";
}
else
die ("text");
}
else
die ("text");
//}
?>
$a_password = md5( $_POST ['password']);
if($a_username == "admin" && $a_password=="intel")
This condition is not valid, because
$a_password = md5( $_POST ['password'])
is first converted to md5 format and then checked $a_password=="intel"
$a_password is now in md5 format and intel is normal string. For this first try to match normal $a_password like
$a_password = $_POST ['password']
and write your variable into your condition as like
$a_password = md5( $_POST ['password'])
I have been created a login page for user to login. The code is working properly in localhost but not in live server. User can't login on live server and I found out that everytime redirect to index.php, the session will lost, so that user can't login due to lost of session. You have any idea on this?
<?php
session_start();
include "header.php";
if (!empty($_POST)){
include 'database_connect.php';
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM users where username='$username' and password='$password'";
$result = mysql_query($sql, $con);
$rows = mysql_num_rows($result);
if ($rows == 1){
$_SESSION['username'] = $username;
echo "<script>window.location = \"index.php\";</script>";
//header("Location: index.php?" . SID);
}else{
echo "<div class='col-md-12 col-xs-8 alert alert-danger' align='center'>Invalid username and password. Please try again</div>";
}
mysql_close($con);
}
?>
Index.php
<? session_start();?>
<script>alert ('<?php echo $_SESSION['username']; ?>');</script>
Check session in your index.php page.just start session and echo user session. if you get then try if condition.
<?php session_start();
echo $_SESSION["username"];
if($_SESSION["username"]){
echo "bla bla";
}?>
<?php
session_start();
include "header.php";
if (!empty($_POST)){
include 'database_connect.php';
$username1 = $_POST['username']; // change it
$password1 = $_POST['password']; // change it
$username = stripslashes($username1); // change it
$password = stripslashes($password1); // change it
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM users where username='$username' and password='$password'";
$result = mysql_query($sql, $con);
$rows = mysql_num_rows($result);
if ($rows == 1){
$_SESSION['username'] = $username;
echo "<script>window.location = \"index.php\";</script>";
//header("Location: index.php?" . SID);
}else{
echo "<div class='col-md-12 col-xs-8 alert alert-danger' align='center'>Invalid username and password. Please try again</div>";
}
mysql_close($con);
}
?>
You write same name username /password before strip the username/password as well as after , so change the name and try once
In the below code,
<?php session_start(); // your header.php file should not have a session start in that file
include "header.php";
if (!empty($_POST)){
include 'database_connect.php';
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM users where username='$username' and password='$password'";
$result = mysql_query($sql, $con);
$rows = mysql_num_rows($result);
if ($rows == 1){
$_SESSION['username'] = $username;
?><script>alert ('<?php echo $_SESSION['username']; ?>');</script><?
echo "<script>window.location = \"index.php\";</script>";
exit();
//header("Location: index.php?" . SID);
}else{
echo "<div class='col-md-12 col-xs-8 alert alert-danger' align='center'>Invalid username and password. Please try again</div>";
}
mysql_close($con);
}
?>
You need to use session_start() function at the first line of the page after the php script starts
This is the login php script, I don't get no errors or echos so I have no idea what's going on. The "*'s" is me censoring that info. If you would like to see the live page it is here.
<?php
printf("Client library version: %s\n", mysqli_get_client_info());
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
var_dump('test');
if (!empty($username) && !empty($password)){
echo $username
echo $password
$connect = mysql_connect("localhost", "atsbusin_atsbusin", "Andrew85") or die ("Failed to connect to DB");
mysql_select_db("atsbusin_users") or die ("failed to select DB");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if ($numrows != 0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login Success!";
$_SESSION['username'] == $dbusername;
} else {
echo "Incorrect password!";
}
} else {
die("invalid username, check the spelling or register that name");
}
}
echo 'something'
?>
This is the final working code, thanks to all who helped! Now for me to switch over to mysqli and do the security measures suggested (have a feeling I'll be back ☺ )
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$connect = mysql_connect("localhost", "atsbusin_atsbusi", "Andrew85") or die ("Failed to connect to DB");
mysql_select_db("atsbusin_users") or die ("failed to select DB");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login Success!";
$_SESSION['username'] = $dbusername;
} else {
echo "Incorrect password!";
}
?>
The only way this wont echo anything and not give you an error is If the username exists and the password does not match So it will go through:
if($numrows != 0){
}
Try to put a var_dump('test'); in that IF statement and see if it does show something.
You also have no ; after the
$username = $_POST['username']
$password = $_POST['password']
change it to:
$username = $_POST['username'];
$password = $_POST['password'];
Some extra notes:
you probably want a else around: die("Do not leave username and/or password field blank");
Dont use mysql it will be deprecated as of PHP 5.5.0, and will be removed in the future.
You're wide open to MYSQL injection
EDIT:
It also wouldn't show an error or echo if you fill in the username and password and they both dont match
There are some php syntax errors in your script.
You have missed semicolons at below lines, update code and set display errors on to see if there is any other error
$username = $_POST['username'];
$password = $_POST['password'];
Your code has some syntax and logical errors.
1) You're missing ; when variable assigning.
$username = $_POST['username'];
$password = $_POST['password'];
2) You're not using && in your if() statement, but two $
if ($username == $dbusername && $password == $dbpassword) {
3) You're using a comparison (==) on your $_SESSION and not an assignment (=).
$_SESSION['username'] = $dbusername;
Notes
Check the password matches the one in the database on the query itself (after you encrypt it)
With your current logic, it suggests you store your passwords in plain text. This is a BIG NO-NO.
You're wide open to SQL injections
I have created a site with a login and register.It was working, but when I finished it something was very wrong, I can't login to the site.
I can register a new user and that is added in the mysql db but when I try to login the redirect does not work it will not goto the page index.php.
Can anyone look at this source because and see if you can find anything wrong.
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if ($username&&$password)
{
$connect = mysql_connect("localhost","root","") or DIE ("Could not connect");
mysql_select_db("case") or die ("could not find db");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
header('location: index.php');
/*echo "Login successful. <a href='membersarea.php'>click her to enter members erea<a/>"; */
/*$_SESSION['username']=$dbusername; */
}
else
echo "Incorrect password";
}
else echo ("That username dows not exist");
}
else
die ("Please enter a username and password");
?>
Get rid of php closing tag ?> and whitespaces, html, blank lines before php opening tag <?php. Also check if there is no output before :
header("Location:");
Like print,var_dump, echo and so on. Also check your if condition, maybe you are just skipping it.
WARNING! you have an SQL injection ERROR. Try with:
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
Now, simplify your life:
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
Is it right?
if( mysql_num_rows($query) > 0 ) {
header('location: index.php');
}
At first sight, I notice this:
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword) {
The if is outside the loop. It will only be used against the last row.
If you only have one user, it should be working.