I want to know the error on this php coding, just wondering where is the mistake in this coding I skipped html part for page input design as I want to know the php part only,
, Im trying to use this for users to enter the username and password to login to the website and this particular website should be password protected password
<?php>
if isset($_POST=['submit']));
{
$inputuser = $_POST['user'];
$inputpass = $_POST['pass'];
$user = "root";
$password = "";
$database = "Tutorial";
$connect = mysql_connect("localhost",$user,$password);
#mysql_select_db($database) or ("database not found");
$query = " SELECT * FROM 'users' WHERE 'user' = i $inputuser";//for query specific data
$querypass = "SELECT * FROM 'users' WHERE 'user' = $ i $inputpass'";
$result = mysql_query($query);
$resultpass = mysql_query($querypass);
$row = mysql_fetch_array($result);
$rowpass = mysql_fetch_array($resultpass);
$serveruser = $row["user"];
$serverpass = $row["password"];
if($serveruser&&$serverpass){
if (!$result) {
die("username and password is invalid");
}
echo "<br> <center>database output</b></center><br><br>";
mysql_close();
echo $inputpass;
echo $serverpass;
if ($inputpass == $serverpass) {
header('location: Home.php');
} else {
header('location: fail.php');
}
}
try this way:
$query="SELECT * FROM users WHERE user='" . mysql_real_escape_string( $inputuser ) . "' AND psw='" . mysql_real_escape_string( $inputpsw ) . "'";
$qr=mysql_query($query) or die (mysql_error());
if(mysql_num_rows($qr)>0) //admitting that usernames and psw are unique
{
//success
header('location:home.php');
}
else //no rows=no username responding to $inputusername
{
header('location:fail.php');
}
Related
thank you for your consideration.
I'll be short and concise, because it seems i get banned no matter what i post.
I found similar questions on here but none of the suggestions were working with my code.
i just need help after login is successful redirecting to a new page my code is.
$username = $_POST["username"];
$conn = mysqli_connect($host, $user, $pass, $db);
$query = "SELECT * FROM user WHERE username = '" .$username. "'";
$result = mysqli_query($conn,$query);
while ($row = mysqli_fetch_assoc($result)){
echo "Password Entered: " . $_POST["password"];
echo "Correct Pasword: " . $row['password'];
// See if the password is correct
if ($_POST["password"] === $row['password'])
echo "Logon Successful!";
else {
echo "Logon Failed!";
}
}
if (!mysqli_fetch_assoc($result))
echo "Invalid Username";
?>
Maybe have a bit of changes like the following:
login.php
$username = $_POST["username"];
$password = $_POST["password"];
$conn = mysqli_connect($host, $user, $pass, $db);
$query = "SELECT * FROM user WHERE username = '" . $username . "'";
$result = mysqli_query($conn,$query);
while ($row = mysqli_fetch_assoc($result)){
// See if the password is correct
if ($password === $row['password']){
header('location: login_successful.php');
}else {
// you can hide the message at QueryString via SESSION or COOKIE
header('location: login_form.php?message=FAIL_MESSAGE'); //you can detect and show login status message.
}
}
i just forgot a semicolon after the header..
$query = "SELECT * FROM user WHERE username = '" .$username. "'";
$result = mysqli_query($conn,$query);
while ($row = mysqli_fetch_assoc($result)){
// See if the password is correct
if ($_POST["password"] === $row['password']){
echo "Logon Successful!";
header("Location: index.php");
exit();
}
As part of my project i created a log in program. i already have a create account page from which the data is going in to the database tables successfully. But my log in program is not working. Below is my code.
<?php
$db = mysql_connect('localhost','root','','childrenparty');
if(!$db){die('could not connect:'.mysql_error());}
echo'connected successfully';
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username ='".$username."'' AND
Password='".$password."' LIMIT 1";
$result = mysql_query($sql);
echo $sql;
if(mysql_num_rows($result) == 1)
{
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
}
else {
echo "<script> alert('Invalid Username and/or Password')</script>";
exit();
}
}
mysql_close($db);
?>
so the problem is it always shows invalid username and password when i try to sign in. please help
You have a error in sql query, an extra ':
$sql = "SELECT * FROM clientinfo WHERE Username ='" . $username . "' AND
Password='" . $password . "' LIMIT 1";
But there are more dangerous problems in this code:
mysql_* are deprecated in PHP 5.5 and removed in PHP 7, so you'd better use mysqli or PDO functions and prepared statements.
Password is stored unencrypted and this is a huge vulnerability
I'll add an example with prepared statements, to prevent SQL Injection:
<?php
$db = new mysqli('localhost', 'root', '', 'childrenparty');
if ($db->connect_errno) {
echo 'Failed to connect to MySQL: (' . $db->connect_errno . ') ' . $db->connect_error;
}else{
echo 'Connected successfully';
}
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = $db->escape_string($username);
$password = $db->escape_string($password);
$query = $db->prepare('SELECT * FROM clientinfo WHERE Username=? AND Password=? LIMIT 1');
$query->bind_param('ss', $username, $password);
$query->execute();
$result = $query->get_result()->fetch_row();
if (null !== $result) {
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
}
echo "<script> alert('Invalid Username and/or Password')</script>";
exit();
}
$db->close();
Hi i have made some changes to your code. This should definetly work. If not the problem is withing the $_POST variable names that you have set. Also double check the Sql query to check if they are the same as the database names. I assume you are just learning to code so its fine but mysql is deprecated now , so try to use mysqli functions.
For further reference check out http://php.net/manual/en/book.mysqli.php
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username = '$username' AND
Password = '$password' LIMIT 1";
$result = mysql_query($sql);
if(mysql_num_rows($result) == 1)
{
echo "<script> alert('Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
}
else {
echo "<script> alert('Invalid Username and/or Password')</script>";
}
}
<?php
$db = mysql_connect('localhost','root','','childrenparty');
if(!$db){die('could not connect:'.mysql_error());}
echo'connected successfully';
if (isset($_POST['loginbtn'])) {
$username = $_POST['txtusername'];
$password = $_POST['txtpassword'];
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM clientinfo WHERE Username ='$username' AND
Password='$password'";
mysql_select_db('childrenparty');
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count == 1) {
echo "<script> alert('You Have Successfully Logged In')</script>";
echo "<script> location.href = 'home.php' </script>";
exit();
} else {
echo "<script> alert('Invalid Username and/or Password')</script>";
}
}
mysql_close($db);
?>
this one worked.thanks guys for the reply.
I have realized why i can't actually access userdata (after i am logged) old way to find the username is $_SESSION['username']; (assuming there is a row as 'username' in MySQL database)
So as i have a test account as "good25" (reason to choose numbers was to see if Alphanumeric inputs works fine.. its just checkup by me.. nevermind)
Problem :
assuming, i have rows in a table as 'username' and all of his information.. such as 'password', 'email', 'joindate', 'type' ...
On net i found out how to snatch out username from Session
<?php session_start(); $_SESSION('username'); ?>
successful!!
i had an idea to check if session is actually registering or no??
after a log on start.php i used this code
if(isset($_SESSION['username'])) { print_r($_SESSION['username']); }
the result was "1" (while i logged in using this username "good25")
any suggestions?
index.php (lets say, index.php just holds registration + Login form + registration script.. in login form, action='condb.php')
<?php
require 'condb.php';
if (isset($_POST['btn-signup']))
{
//FetchInputs
$usern = mysqli_real_escape_string($connection,$_POST['username']);
$email = mysqli_real_escape_string($connection,$_POST['email']);
$password = mysqli_real_escape_string($connection,$_POST['password']);
$repassword = mysqli_real_escape_string($connection,$_POST['repassword']);
$usern = trim($usern);
$email = trim($email);
$password = trim($password);
$repassword = trim($repassword);
//SearchUser
$searchusr = "SELECT username FROM $user_table WHERE username='$usern'";
$usersearched = mysqli_query($connection, $searchusr);
$countuser = mysqli_num_rows($usersearched);
//SearchEmail
$searcheml = "SELECT email FROM $user_table WHERE email='$email'";
$emlsearched = mysqli_query($connection, $searcheml);
$counteml = mysqli_num_rows($emlsearched);
//RegisteringUser
if ($countuser == 0)
{
if ($counteml == 0)
{
$ctime = time();
$cday = date("Y-m-d",$ctime);
$aCode = uniqid();
$adduser = "INSERT INTO $user_table(username, email, password, realname, activationcode, verified, joindate, type, points) VALUES ('$usern','$email','$password','$name','$aCode','n','$cday','Free',$signPoints)";
if (mysqli_query($connection, $adduser))
{
?><script>alert('You have been registered');</script><?php
}
else {
?><script>alert('Couldnt Register, please contact Admin<br><?mysqli_error($connection);?>');</script><?php
}
} else {
?><script>alert('Email already exists!');</script><?php
}
} else {
?><script>alert('Username already exists!');</script><?php
}
}
?>
condb.php
$connection = mysqli_connect($db_server, $db_user, $db_pass);
mysqli_select_db($connection, $db_name);
if(!$connection) {
die ("Connection Failed: " . mysqli_connect_error);
}
if (isset($_POST['btn-login']))
{
$uname = mysqli_real_escape_string($connection,$_POST['uname']);
$upass = mysqli_real_escape_string($connection,$_POST['upass']);
//FindUser
$finduser = "SELECT * FROM $user_table WHERE username='$uname' AND password='$upass'";
$findinguser = mysqli_query($connection,$finduser);
$founduser = mysqli_num_rows($findinguser);
//ConfirmPassword
if ($founduser > 0)
{
session_start();
$_SESSION['username'] = $username;
$_SESSION['username'] = true;
if ($findinguser != false)
{
while ($fetchD = mysqli_fetch_array($findinguser, MYSQLI_ASSOC))
{
$fetchD['username'] = $usernn;
$fetchD['email'] = $email;
$fetchD['userid'] = $uid;
$fetchD['realname'] = $rlnm;
$fetchD['points'] = $pts;
$fetchD['type'] = $membertype ;
}
header("Location: start.php");
} else {
echo mysqli_error();
}
} else {
header("Location: index.php");
?><script>alert('Wrong details, please fill in correct password and email');</script><?php
}
}
I am not asking you to build a script.. just little help please? (Thank you so so so so so much, as i am a self-learner, you don't have to say everything.. just a clue is enough for me)
may be you can try this code
<?php
require_once 'require.inc.php';
//session_start();
if (isset($_POST['btn-login']))
{
$uname = mysqli_real_escape_string($_POST['uname']);
$upass = mysqli_real_escape_string($_POST['upass']);
$search = mysqli_query($connection, "SELECT username, userid, password from $user_table WHERE username='$uname' AND password='$upass'");
$match = mysqli_fetch_assoc($search);
if ($match == 1 and $match['password'] == md5($upass))
{
$_SESSION['username'] = $match['userid'];
} else {
?>
<script>alert('Password or E-mail is wrong. If you havent registered, Please Register');</script>
<?php
}
}
if (isset($_SESSION['username']) or isset($match['userid'])){
header("Location:start.php");
}
if (isset($_POST['btn-signup']))
{
$name = mysqli_real_escape_string($_POST['name']);
$usern = mysqli_real_escape_string($_POST['username']);
$email = mysqli_real_escape_string($_POST['email']);
$password = mysqli_real_escape_string($_POST['password']);
$repassword = mysqli_real_escape_string($_POST['repassword']);
$name = trim($name);
$usern = trim($usern);
$email = trim($email);
$password = trim($password);
$repassword = trim($repassword);
$query = "SELECT email FROM $user_table WHERE email='$email'";
$result = mysqli_query($connection, $query);
$count = mysqli_num_rows($result);
$querytwo = "SELECT username FROM $user_table WHERE username='$usern'";
$resulttwo = mysqli_query($connection, $querytwo);
$counttwo = mysqli_num_rows($resulttwo);
if ($count == 0 AND $counttwo == 0)
{
if ($password == $repassword) {
if (mysqli_query($connection, "INSERT INTO $user_table(username, email, password, realname) VALUES ('$usern','$email','$password','$name')"))
{
?>
<script> alert ('Successfully registered'); </script>
<?php
}
}else {
?>
<script> alert ('The Password you entered, doesnt match.. Please fill in the same password'); </script>
<?php
}
}
else {
?>
<script> alert('Username or E-mail already exist'); </script>
<?php
}
}
?>
and this is for require.inc.php
<?php
global $username;
//require 'dconn.php';
session_start();
$_SESSION["username"] = $username;
$connection = mysqli_connect("localhost","root","", "test") or die(mysqli_error());
// Check Login
if (isset($_SESSION['username']) and isset ($match['userid']))
{
$Selection = "SELECT * FROM $user_table WHERE username='$username'";
$selectQuery = mysqli_query($connection, $Selection);
if ($selectQuery != false)
{
while ($fetchD = mysqli_fetch_assoc($selectQuery))
{
$usernn = $fetchD['username'];
$email = $fetchD['email'];
$uid = $fetchD['userid'];
}
} else {
echo mysqli_error();
}
}
?>
#suggestion, create session after user login and authorized then for each page start session and take session which you created and perform SQL queries using that session variable.
for example :
$_SESSION['user_name']=$row['username'];
for each page:
session_start();
$user_name=$_SESSION['user_name'];
SQL query
mysqli_query($con,"SELECT * FROM users where column_name='$user_name'");
I think you need to include dconn.php file in all files where you want to perform the mysql operation. If you have included it only in require.inc.php then you you it in all your other files.
I have created a database with a table (UserPass) which essentially stores Usernames and Passwords.
Now in my form I want to ask a user to input his username and password and while testing this, I realized that I can input any username from the database and any password to login.
Is it possible to select in the SQL query the password that is in the same line as the username?
I tried something like:
$username = $_POST['username'];
$sql = "SELECT Password FROM UserPass WHERE Username = $username";
But the following mysqli_query failed:
$query = mysqli_query($cxn, $sql);
So here is the entire action.php script:
<?php
include "info.php";
include "god.php";
session_start();
if($_POST['god'] == $god)
{
header( "refresh:0;url=../web.html" );
}
else if(empty($_POST['god']))
{
}
else
{
echo "Can't you read: DON'T TRY!!!!!!!";
exit();
}
$cxn = mysqli_connect($host, $user, $password, $dbname) or die("Go");
//check username
$userI = $_POST["username"];
$userSql = "SELECT Username FROM UserPass ";
$result = mysqli_query($cxn, $userSql) or die("Query failed!");
while($line = mysqli_fetch_assoc($result))
{
extract($line);
foreach ($line as $key => $val)
{
if($_POST['username'] == $val)
{
//check for password
$username = $_POST['username'];
$pass = $_POST['password'];
$sql = "SELECT Password FROM UserPass";
$passres = mysqli_query($cxn, $sql) or die("Request cannot be handled now.");
while ($passline = mysqli_fetch_assoc($passres))
{
extract($passline);
foreach ($passline as $k => $v)
{
if($_POST['password'] == $v)
{
header( "refresh:0;url=../web.html");
}
else
{
session_destroy();
}
}
}
}
}
}
/*
if($userI == $line['Username'])
{
//check for password
$pass = $_POST['password'];
$sql = "SELECT * FROM UserPass";
$res = mysqli_query($cxn, $sql) or die("Pass query failed");
$passline = mysqli_fetch_assoc($res);
if($pass == $passline['Password'])
{
header( "refresh:4;url=../web.html");
session_start();
echo "Login succesful, session started, session id: ";
}
}
*/
/*
if($_POST['username'] == $val)
{
//check for password
$b = $_POST['username'];
$pass = $_POST['password'];
$sql = "SELECT * FROM UserPass";
$passres = mysqli_query($cxn, $sql);
$passline = mysqli_fetch_row($passres);
foreach ($passline as $k => $v )
{
if($_POST['password'] == $v)
{
header( "refresh:0;url=../web.html");
session_start();
}
}
}
*/
/*
else
{
print("Destroying Laptop...US Government...Destroying Laptop...\n");
exit();
}
*/
?>
You just need to check if there is a record that contains both username and password of the same user:
$password = mysqli_real_escape_string($password);
$username = mysqli_real_escape_string($username);
$sql = "SELECT Password FROM UserPass WHERE Username = '$username' AND Password = '$password'";
if there is 1 such result, it is OK.
BTW, you should not store passwords in plain text - instead use one-way hashing function and compare only the hashes of the passwords.
Your SQL query should contain an 'AND' like this:
$link = mysqli_connect("myhost","myuser","mypassw","mybd") or die("Error " . mysqli_error($link));
$username = mysqli_real_escape_string($link, $_POST['username']);
$password = mysqli_real_escape_string($link, $_POST['password']);
$sql = "SELECT * FROM UserPass WHERE username = '{username }' AND password = '{$password}' LIMIT 1";
$query = mysqli_query($link, $sql);
if ($query && mysqli_num_rows($query)>0) {
//user is authenticated
}
?>
By using the logical operator AND your query must match two conditions to give you an answer. That conditions should be known only by the users.
Also please do not store the password field as clear text in database. It's not safe. You should use sha1 hash. For more information about this please take a look here http://en.wikipedia.org/wiki/SHA-1
How would I make this work, I asked before and didn't get a correct answer. This code is the user login, so when they log in I want username and avatar to be trackable through out the site. So far I just have username. I have tried methods and have failed every time.
$username = $_POST['username'];
$password = sha1($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $sql) or die('Error querying database.');
$count=mysqli_num_rows($result);
if ($count == 1)
{
$row = mysqli_fetch_array($result);
while ($_SESSION['username'] = $row['username'])
{
session_start();
header('Location: index.php');
}
}
else
{
echo 'Invalid Logins';
}
mysqli_close($conn);
?>
Supposing you have avatar stored in the avatar field in the database:
if ($count == 1)
{
session_start();
$row = mysqli_fetch_array($result);
$_SESSION['username'] = $row['username'];
$_SESSION['avatar'] = $row['avatar'];
header('Location: index.php');
}
else
{
echo 'Invalid Logins';
}