PHP error in HTML - php

Okay, I'm new to PHP, SQL, and HTML and I after several days I finally got my website fully coded. Now I am writing code for users to register and login. I got the register to work, but not the login.
I get the following error:
Parse error: syntax error, unexpected T_STRING in /home/u190182631/public_html/index.html on line 58
What am I doing wrong?
PHP:
<?php
$mysql_host = "xxx";
$mysql_database = "xxx";
$mysql_user = "xxx";
$mysql_password = "xxx";
$errorU = $errorP = "";
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
if(empty($_POST["username"]))
{
$errorU = "Please Enter your Username";
}
if(empty($_POST["pword"]))
{
$errorP = "Please eneter a Password";
}
if ($errorU == "" && $errorP == "")
{
$con=mysqli_connect($mysql_host,$mysql_user,$mysql_password,$mysql_database);
$username = $_POST["username"];
$password = $_POST["pword"];
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT * FROM Persons WHERE Username = '$username' and Password = '$password',$con) or exit('$sql failed: '.mysql_error());
$num_rows = mysql_num_rows($result);
if ($num_rows==0)
{
echo('okay');
}
else
{
echo('no');
exit;
}
}
}
?>
Form in HTML:
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post">
Username: <input type="text" name="username"><br><br>
Password: <input type="password" name="pword">
<input type="submit" value="Login">
</form>


You are not closing this string
$result = mysqli_query($con,"SELECT * FROM Persons WHERE Username = '$username' and Password = '$password',$con) or exit('$sql failed: '.mysql_error());
it should be
$result = mysqli_query($con,"SELECT * FROM Persons WHERE Username = '$username' and Password = '$password'") or exit('$sql failed: '.mysql_error());
On another note. Please do not use unfiltered data when getting things from a database. You will have problems with sql injection. Also don't store the password in plain text. Hash it with salt.
EDIT: You really should use PDO's. See this link: http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/


probably you missed " in
$result = mysqli_query($con,"SELECT * FROM Persons WHERE Username = '$username' and Password = '$password',$con) or exit('$sql failed: '.mysql_error());
try:
$result = mysqli_query($con,"SELECT * FROM Persons WHERE Username = '$username' and Password = '$password',$con)" or exit('$sql failed: '.mysql_error());

Related

Login page in php and editing

i want to create a login page, display the data from database of particular user in table form upto 4 columns and 1 row and also should be able to update the table data's and then logout. can anyone help me in this with a script. i need it to be done using php, mysql. i have tried till this, but i don't know what to do beyond this.
<html>
<form action="login.php" method="post">
Username: <input type="text" name="username"><p>
Password: <input type="password" name="password"><p>
<input type="submit" value="Log in!" >
</form>
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if ($username&&$password)
{
$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect to the database!");
mysql_select_db("login") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if ($numrows!==0)
{
while($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password']; # code...
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "You are logged in!";#
#$_SESSION['usernme'] = $username;
}
else
echo "Your password is incorrect!";
# code...
}
else
die("That user doesn't exists!");
}
else
die("Please enter a username and password!")
?>

Why not directly let MySQL check if the combination of username and password is correct?
$query = mysqli_query("SELECT * FROM users WHERE username='" . $username . "' AND password = '" . $password . "'");
Only if mysqli_num_rows($query) == 1, there is a valid login. More than 1 row should not be possible.

PHP Login using MySQL

I got 3 files which is connection.php, work.php, and login.php
I am currently working with log-in.
The name of my database is wildlife and it has a field of
wrd_username(for username) AND wrd_password(for password)
I am having a difficulty because the SQL is unable to detect the username and password.
MySQL is required for this PHP.
Please kindly help me.
connection.php
<?php
$conn = mysql_connect('localhost', 'root', '', 'wildlife');
if (!$conn)
{
die('Connect Error: ' . mysql_errno());
}
else
{
echo ("connected from connection.php");
}?>
work.php
<?php
include('login.php');
?>
<html>
<head><title>howww</title>
</head>
<body>
<form action="login.php" method="post"> <!-- Sign In Process -->
Username: <input type="text" name="user" id="emp_username"style="width:150">
<br />
Password: <input type="password" name="pass" id="emp_password"style="width:153">
<br />
<br />
<input type="submit" value="submit">
</form>
</body>
</html>
login.php
enter code here
<?php
// Try and connect to the database
include('connection.php');
$selected = mysql_select_db("wildlife",$conn)
or die("Could not select ");
//$myusername = mysql_real_escape_string($conn,$_POST['username']);
//$mypassword = mysql_real_escape_string($conn,$_POST['password']);
if(isset($_POST['user']) && isset($_POST['pass'])){
$emp_username = $_POST['emp_username'];
$emp_password = $_POST['emp_username'];
$query = mysql_query("SELECT * FROM wrd_users WHERE emp_username='$user' and emp_password='$pass'");
if(mysql_num_rows($query) > 0 )
{
//check if there is already an entry for that username
echo "DETECTED Username AND PASS already exists!";
}
else
{
//header("location:index.php");
echo(" okay");
//header('work.php');
}
}
mysql_close();
?>
whenever I try to input the username and password it always ended up with okay from login.php

Your error seems to be assigning the wrong $_POST variable to password variable:
$emp_password = $_POST['emp_username'];
It should be something lke:
$emp_password = $_POST['emp_password'];
Also, your code is vulnerable to SQL injections. Try learning to use prepared statements.

You need to do these changes into your login.php file
<?php
// Try and connect to the database
include('connection.php');
$selected = mysql_select_db("wildlife",$conn)
or die("Could not select ");
//$myusername = mysql_real_escape_string($conn,$_POST['username']);
//$mypassword = mysql_real_escape_string($conn,$_POST['password']);
if(isset($_POST['user']) && isset($_POST['pass'])){
$emp_username = $_POST['user']; //name as of html form
$emp_password = $_POST['pass']; //name as of html form
$query = mysql_query("SELECT * FROM wrd_users WHERE emp_username='$user' and emp_password='$pass'");
if(mysql_num_rows($query) > 0 )
{
//check if there is already an entry for that username
echo "DETECTED Username AND PASS already exists!";
}
else
{
//header("location:index.php");
echo(" okay");
//header('work.php');
}
}
mysql_close();
?>

Your $user and $pass variable are empty always.I have update the login.php page below. Use the below code
<?php
// Try and connect to the database
include('connection.php');
$selected = mysql_select_db("wildlife",$conn)
or die("Could not select ");
//$myusername = mysql_real_escape_string($conn,$_POST['username']);
//$mypassword = mysql_real_escape_string($conn,$_POST['password']);
if(isset($_POST['user']) && isset($_POST['pass'])){
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = mysql_query("SELECT * FROM wrd_users WHERE emp_username='$user' and emp_password='$pass'");
if(mysql_num_rows($query) > 0 )
{
//check if there is already an entry for that username
echo "DETECTED Username AND PASS already exists!";
}
else
{
//header("location:index.php");
echo(" okay");
//header('work.php');
}
}
mysql_close();
?>

I believe the problem is:
$query = mysql_query("SELECT * FROM wrd_users WHERE emp_username='$user' and emp_password='$pass'");
Should be:
$query = mysql_query("SELECT * FROM wrd_users WHERE emp_username='$emp_username' and emp_password='$emp_password'");
Looks like you just had some unused variables in your query to MySQL ($user and $pass weren't really assigned to anything). Other than that, everything looks good.

In just 3 lines, it should like this :
$user = $_POST['emp_username'];
$pass = $_POST['emp_password'];
$query = mysql_query("SELECT * FROM wrd_users WHERE emp_username='$user' and emp_password='$pass'");

In connection.php page no need to add database with mysql_connect('localhost', 'root', '','wildlife') as you use it in login.php page mysql_select_db("wildlife",$conn) and in your query just add proper variable in where condition emp_username='$emp_username' and emp_password='$emp_password'"
connection.php
<?php
$conn = mysql_connect('localhost', 'root', '');
if (!$conn)
{
die('Connect Error: ' . mysql_errno());
}
else
{
echo ("connected from connection.php");
}?>
work.php
<?php include('login.php'); ?>
<html>
<head><title>PLEASE GUMANA KA NA</title>
</head>
<body>
<form action="login.php" method="post"> <!-- Sign In Process -->
Username: <input type="text" name="user" id="emp_username"style="width:150">
<br />
Password: <input type="password" name="pass" id="emp_password"style="width:153">
<br />
<br />
<input type="submit" value="submit">
</form>
</body>
</html>
login.php
enter code here
<?php
// Try and connect to the database
include('connection.php');
$selected = mysql_select_db("wildlife",$conn)
or die("Could not select ");
if(isset($_POST['user']) && isset($_POST['pass'])){
$emp_username = $_POST['user'];
$emp_password = $_POST['pass'];
$query = mysql_query("SELECT * FROM wrd_users WHERE emp_username='$emp_username' and emp_password='$emp_password'");
if(mysql_num_rows($query) > 0 )
{
//check if there is already an entry for that username
echo "DETECTED Username AND PASS already exists!";
}
else
{
//header("location:index.php");
echo(" okay");
//header('work.php');
}
}
mysql_close();
?>

$emp_username = $_POST['emp_username'];
$emp_password = $_POST['emp_username'];
$query = mysql_query("SELECT * FROM wrd_users WHERE emp_username='$user' and emp_password='$pass'");
This snippet should change to:
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = mysql_query("SELECT * FROM wrd_users WHERE emp_username='$user' and emp_password='$pass'");
Because the form has user and pass parameter, not emp_username or emp_password

Issue with logging in with mySQL and PHP

Im trying to allow users that are on the database to log in if their credentials are present, problem is, whenever I enter details into the login screen, it will always return Invalid Login Credentials, regardless of whether or not the name/password is on the database.
Here is what I'm working with:
loginSubmit.php
<?php
//begin our session
session_start();
//Check the username and password have been submitted
if(!isset( $_POST['Username'], $_POST['Password']))
{
$message = 'Please enter a valid username and password';
}
else
{
//Enter the valid data into the database
$username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);
//Encrypt the password
$password = sha1($password);
//Connect to the database
$SQLusername = "root";
$SQLpassword = "";
$SQLhostname = "localhost";
$databaseName = "jfitness";
try
{
//connection to the database
$dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword)
or die("Unable to connect to MySQL");
echo "Connected to MySQL<br>";
//select a database to work with
$selected = mysql_select_db($databaseName, $dbhandle)
or die("Could not select database");
$query = "SELECT * FROM
customers WHERE name =
('$_POST[Username]' AND password = '$_POST[Password]')";
$result = mysql_query($query) or die(mysql_error());
$count = mysql_num_rows($result);
if($count == 1)
{
$_SESSION['username'] = $username;
}
else
{
echo "Invalid Login Credentials";
}
if(isset($_SESSION['username']))
{
$username = $_SESSION['username'];
echo "Hello " . $username;
}
}
catch(Exception $e)
{
$message = 'We are unable to process your request. Please try again later"';
}
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
</body>
</html>
Login.php
<html>
<head>
<title>Login</title>
</head>
<body>
<h2>Login Here</h2>
<form action="loginSubmit.php" method="post">
<fieldset>
<p> <label for="Username">Username</label>
<input type="text" id="Username" name="Username" value="" maxlength="20" />
</p>
<p>
<label for="Password">Password</label>
<input type="text" id="Password" name="Password" value="" maxlength="20" />
</p>
<p>
<input type="submit" value="Login" />
</p>
</fieldset>
</form>
</body>
</html>
AddUser
//Enter the valid data into the database
$username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);
//Encrypt the password
$password = sha1($password);
//Connect to the database
$SQLusername = "root";
$SQLpassword = "";
$SQLhostname = "localhost";
$databaseName = "jfitness";
try
{
//connection to the database
$dbhandle = mysql_connect($SQLhostname, $SQLusername, $SQLpassword)
or die("Unable to connect to MySQL");
echo "Connected to MySQL<br>";
//select a database to work with
$selected = mysql_select_db($databaseName, $dbhandle)
or die("Could not select database");
$sql = "INSERT INTO
customers (name, password)
VALUES
('$_POST[Username]','$_POST[Password]')";
if(!mysql_query($sql, $dbhandle))
{
die('Error: ' . mysql_error());
}
//Unset the form token session variable
unset( $_SESSION['formToken'] );
echo "1 record added";
//close the connection
mysql_close($dbhandle);
}
catch (Exception $ex)
{
if($ex->getCode() == 23000)
{
$message = 'Username already exists';
}
else
{
$message = 'We are unable to process your request. Please try again later"';
}

It might be because of this, the way you have the brackets.
-Please see my notes about using prepared statements and password_hash() below.
SELECT * FROM customers
WHERE name = ('$_POST[Username]'
AND password = '$_POST[Password]')
Change it to:
SELECT * FROM customers
WHERE name = '$username'
AND password = '$password'
and for testing purposes, try removing
$password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);
that could be affecting / rejecting characters. Make sure there is no white space also.
Also changing if($count == 1) to if($count > 0)
or replacing $count = mysql_num_rows($result); if($count == 1) { with if(mysql_num_rows($result) > 0){
Your password is not being hashed
After testing your Adduser code, I noticed is that your hashed password isn't being stored as a hash.
Change ('$_POST[Username]','$_POST[Password]') in your Adduser page to ('$username','$password').
I suggest you move to mysqli with prepared statements, or PDO with prepared statements, they're much safer.
As it stands, your present code is open to SQL injection.
Here is a good site using PDO with prepared statements and password_hash().
http://daveismyname.com/login-and-registration-system-with-php-bp
See also:
CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.

Try this mate
$query = "select * from customer where name = '" .$username ."' and password = '" .$password ."'";
//use the SANITIZED data
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
if($row) {
$_SESSION['name'] = $row['name'];
$_SESSION['password'] = $row['password'];
}
else { //not found
header('Location: go back.php?error=2');
}
echo "Hello " . $username;

PHP login: does not respond well

Its a simple user login. I am only trying to get the concept. Let me explain my problems with the code.
Heres my form form:
<form action = "check_login.php" action = "POST">
User:<input type="text" name="user"><br/>
Password:<input type="password" name="password"><br/>
<input type="submit" name="submit" value="Sign In">
</form>
check_login.php:
<?php
error_reporting(E_ALL);
$username = $_POST['user'];
$password = $_POST['password'];
if($username && $password) {
$host = 'localhost';
$user = 'root';
$con = mysql_connect($host, $user, '') or die("Couldn't Connect");
mysql_select_db('first_site');
$sql = "SELECT * FROM user WHERE user_name= '$username' and user_password ='$password'";
$query = mysql_query($sql, $con);
$count = mysql_num_rows($query);
echo $count;
}
else {
die "Enter username and password";
}
I have maintained a database first_site and table user. the table has 3 columns: id, user_name and user_password.
The $count variable should hold a value 1 if i enter the username and password but it happens to hold 0. I am clueless. HELP!!

The code itself is dangerous, you have not made it safe against injection'
<?php
error_reporting(E_ALL);
// Escaped For SQL Injection Prevention
$username = mysql_real_escape_string($_POST['user']);
$password = mysql_real_escape_string($_POST['password']);
if($username && $password) {
$host = 'localhost';
$user = 'root';
$con = mysql_connect($host, $user, '') or die("Couldn't Connect");
mysql_select_db('first_site');
$sql = "SELECT user_name FROM user WHERE user_name= '$username' and user_password ='$password'";
$query = mysql_query($sql, $con);
// If Exists
if( $query ) {
$count = mysql_num_rows($query);
echo $count;
}
else {
die(mysql_error());
}
}
else {
die ("Enter username and password");
}
Also change the form to
<form action = "check_login.php" method = "POST">
User:<input type="text" name="user"><br/>
Password:<input type="password" name="password"><br/>
<input type="submit" name="submit" value="Sign In">
Try the above and it should pront our a mysql eror if there is one, it is also more secure than the origional.

The best way to solve a problem is try each bit individually. Add a few echo $foo's around, to see what the variables are during the login process.
Additionally, might want to remove the single quotes from:
$sql = "SELECT * FROM user WHERE user_name= '$username' and user_password ='$password'";

in form there is two action, you have to put following
<form action = "check_login.php" method= "POST">

PHP - login form. I keep getting "invalid login information"

I'm using phpmyadmin and my database has permission to all privileges. Textfields are named as in the php code, I don't get any errors from dreamweaver. Also when I test this in wamp localhost. I get "invalid login information"... i have created a username and password in my table "users" also added martin as user and 123456 as password... please review my code?
<?php
if (isset($_POST['username']))
{
$username = $_POST['username']; //martin
$password = md5($_POST['password']); //123456
// connect to server
$con = mysql_connect("localhost", "root", "");
if(!$con){
die('Could not connect: '. mysql_error());}
mysql_select_db("test", $con);
if(mysql_num_rows(mysql_query("SELECT * FROM users where usermame = '$username' AND
password = '$password'")))
{//Correct information
$sql = "SELECT * FROM users where username = '$username' AND password = '$password'";
$result = mysql_query($sql);
if (!$result) {
die('Invalid query: ' . mysql_error());
}
while($row = mysql_fetch_array($result))
{
$expire = time()+60*60*24*30;//1 month
setcookie("id", $row['id'], $expire);
echo "Logged in as <b>".$row['username']."</b>";
}
}else{
//false information
echo "Invalid login information.";
}
mysql_close($con);
echo $_COOKIE['id'];
}
?>

if(mysql_num_rows(mysql_query("SELECT * FROM users where usermame = '$username' AND
password = '$password'")))
You are using 'usermame' in place of 'username' in above code.spelling mistake

Categories