I made a login page for my website. The connection to the database is fine, and I am typing in to the login form the correct values that are in the database. I have a md5 on the password in both the database and the code. Yet, when I check to see if any rows come back, there are none. I would just like another set of eyes to look over what is probably a stupid mistake.
<?php
$email = $_POST['email'];
$password = $_POST['password'];
$password = md5($password);
$query = "SELECT * FROM users WHERE password = '$password' AND email='$email' AND activated='1'";
$queryrun = mysql_query($query);
while($row = mysql_fetch_assoc($queryrun)) {
$fname = $row['firstname'];
echo $fname;
}
$logincheck = mysql_num_rows($queryrun);
if ($logincheck > 0) {
echo 'good, you are in our database';
} else {
echo 'sorry, you are not in our database';
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
Login <br />
<form action="login.php" method="POST">
Email: <input type="text" name="email" />
Password: <input type="password" name="password" />
<input type="submit" value="Log in" />
</form>
</body>
</html>
Related
I am trying to Log in a webPage using MySql, however, for some reason, I can't query from the database
I keep getting the error "failure"
Here is my code php:
<?PHP
include_once("connection.php");
if (isset($_POST['txtUsername']) && isset($_POST['txtPassword'])) {
$username = $_POST['txtUsername'];
$password = $_POST['txtPassword'];
$query = "SELECT username, password FROM tbl_client ".
" WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $query);
if ($result->num_rows > 0) {
echo "success";
}
echo "failure ";
}
?>
The html Code is:
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login Example <a <br />
<form action="<?PHP $_PHP_SELF ?>" method="post">
Username <input type="text" name="txtUsername" value="" /><br />
Password <input type="password" name="txtPassword" value="" /><br />
<input type="submit" name="btnSubmit" value="Login" />
</form>
</body>
</html>
My database is:
Database
Databas
My values are: username: test and password: test
But keep getting this error:
HTML
If you are sure your $username and $password are present in database, then you probably want to return right after you figured out that user provided wrong credentials. Something like that:
$result = mysqli_query($conn, $query);
if ($result->num_rows == 0) {
echo "failure";
return;
}
echo "success";
/**
* keep doing stuff for logged user
*/
NEVER store passwords in plain text AND use placeholders and escaping for sending user data to database. Google SQL injections and take a look on real_escape_string
I have been making/learning some PHP, and I successfully made a login form. When I have tried to replicate this, it doesn't work at all.
--MY HTML--
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<form method="post" action="login.php">
<input type="text" name="usrname" placeholder=" Username">
<br />
<br />
<input type="password" name="passwd" placeholder=" Password">
<br />
<br />
<input type="password" name="pin" placeholder=" PIN #">
<br />
<br />
<input type="submit" value="Login">
</form>
</body>
</html>
--LOGIN.PHP--
<?php
session_start();
include('php/db.php');
$usrname = $_POST['usrname'];
$passwd = $_POST['passwd'];
$pin = $_POST['pin'];
$sql = "SELECT * FROM users WHERE usrname = 'usrname'";
$query = mysql_query($sql);
$row = mysql_fetch_array($query);
$usrnameFromDB = $row['usrname'];
$passwdFromDB = $row['passwd'];
$pinFromDB = $row['pin'];
if($usrnameFromDB == $usrname && $passwdFromDB == $passwd && $pinFromDB == $pin) {
echo "Correct";
} else {
echo "noooooo";
}
?>
<!DOCTYPE html>
<html>
<head>
<title>trhhytrh</title>
</head>
<body>
</body>
</html>
P.S. When comparing the codes, there is no major difference apart from the names. Also, the code provided is the one that isn't working. Thanks in advance! :)
As I stated in comments:
WHERE usrname = 'usrname'"; it should read as WHERE usrname = '$usrname'";
You're presently looking/querying for the string literal of "usrname" in your database, rather than the POST array's variable.
Heed the warnings about SQL injection. You should use a prepared statement and a safe password hashing function when your site does go live, such as password_hash().
You should not put that much trust in people.
References:
http://php.net/manual/en/function.password-hash.php
https://en.wikipedia.org/wiki/Prepared_statement
https://en.wikipedia.org/wiki/SQL_injection
Try this:
Change this in html
<input type="submit" name="submit" value="Login">
Then in php
<?php
session_start();
include('php/db.php');
if(isset $_POST['submit']){
$usrname = $_POST['usrname'];
$passwd = $_POST['passwd'];
$pin = $_POST['pin'];
$sql = "SELECT * FROM users WHERE usrname = '$usrname'";
$query = mysql_query($sql);
$row = mysql_fetch_array($query);
$usrnameFromDB = $row['usrname'];
$passwdFromDB = $row['passwd'];
$pinFromDB = $row['pin'];
if($usrnameFromDB == $usrname && $passwdFromDB == $passwd && $pinFromDB == $pin) {
echo "Correct";
} else {
echo "noooooo";
}
}//End of if
else
{
echo "Form is not submitted";
}
?>
You have not submitted the form. PS you have commited a mistake in your query. You were not using variable there
I have my Oral defense at school next week.. and I tried searching for answers.. none was working so I figured out to ask here right away..
So okay.. my page is here and I connected my php page to my database (godaddy) and its working.. in registration.php, you can add employee and its being added to my database "table" but when I try login.php it said.. "Incorrect password" but the password is correct in my database..
its like.. my php can be connected to database
but my database doesn't want to connect to my php page..
what's wrong with my code? Can you help me? please?
<?php
require('db.php');
session_start();
if (isset($_POST['username'])){
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$username = mysql_real_escape_string($username);
$password = stripslashes($password);
$password = mysql_real_escape_string($password);
$query = "SELECT * FROM 'users' WHERE username='$username' and password='".md5($password)."'";
$result = mysql_query($query) or die(mysql_error());
$rows = mysql_num_rows($result);
if($rows==1){
$_SESSION['username'] = $username;
header("Location: home.php");
} else {
echo "<div class='form'><h3>Username/password is incorrect.</h3><br/><div>";
}
}else{
?>
<div class="form">
<h1>Log In</h1>
<form action="" method="post" name="login">
<input type="text" name="username" placeholder="Username" required />
<input type="password" name="password" placeholder="Password" required />
<input name="submit" type="submit" value="Login" />
</form>
</div>
<?php } ?>
This question already has answers here:
How to fix "Headers already sent" error in PHP
(11 answers)
Closed 7 years ago.
My header location doesn't works, in my wampserver it works, when I put it in my server, it doesn't, any Ideas?
If I put a echo instead of the header, it works fine.
<html>
<head>
<meta charset="utf-8">
<title>Login</title>
<link rel="stylesheet" href="css/login.css" />
</head>
<body>
<?php
require('db.php');
session_start();
// If form submitted, insert values into the database.
if (isset($_POST['username'])){
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$username = mysqli_real_escape_string($connection, $username);
$password = stripslashes($password);
$password = mysqli_real_escape_string($connection, $password);
$query = "SELECT * FROM `users` WHERE username='$username' and password='$password'";
$result = mysqli_query($connection, $query) or die(mysql_error());
$rows = mysqli_num_rows( $result);
if($rows==1){
$_SESSION['username'] = $username;
header("Location: welkom.php");
}else{
echo "<div id='cancel'><h3>Username/password is incorrect.</h3><br/>Click here to <a href='index.php'>try again</a></div>";
}
}else{
?>
<div id="login">
<div id="triangle"></div>
<h1>Log in</h1>
<form action="" method="POST" name="login">
<input type="text" name="username" placeholder="Username" required />
<input type="password" name="password" placeholder="Password" required />
<input name="submit" type="submit" value="login" />
</form>
</div>
<?php } ?>
</body>
</html>
If anything, make sure there is no output whatsoever before or after the location header and put a die() after it.... Your sessions_start() should also not work, because you already have output before the statement...
So your session start and your location header should preceed the HTML.
Take a look at what I changed:
<?php
require('db.php');
session_start();
// If form submitted, insert values into the database.
if (isset($_POST['username'])){
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$username = mysqli_real_escape_string($connection, $username);
$password = stripslashes($password);
$password = mysqli_real_escape_string($connection, $password);
$query = "SELECT * FROM `users` WHERE username='$username' and password='$password'";
$result = mysqli_query($connection, $query) or die(mysql_error());
$rows = mysqli_num_rows( $result);
if($rows==1){
$_SESSION['username'] = $username;
header("Location: welkom.php");
die();
}
<html>
<head>
<meta charset="utf-8">
<title>Login</title>
<link rel="stylesheet" href="css/login.css" />
</head>
<body>
<?php
if($rows!=1){
echo "<div id='cancel'><h3>Username/password is incorrect.</h3><br />Click here to <a href='index.php'>try again</a></div>";
}else{
?>
<div id="login">
<div id="triangle"></div>
<h1>Log in</h1>
<form action="" method="POST" name="login">
<input type="text" name="username" placeholder="Username" required />
<input type="password" name="password" placeholder="Password" required />
<input name="submit" type="submit" value="login" />
</form>
</div>
<?php } ?>
</body>
</html>
You can't use header("Location: welkom.php"); where you are because headers have already been sent.
Either load all of the HTML in the page before that into a variable and then echo it once your code has come to that condition, or turn on Output Buffering.
Alternatively, re-order your code to check this condition and redirect before you send anything to the browser.
Remove this :
header("Location: welkom.php");
And try this :
echo '<script>window.location.href = "welkom.php";</script>' ;
Use full url in header location from i.e. header("Location: httP://yoursite.com/welkom.php");
that will work.
Here is the code for my entire index page, which includes a register and a login. For some reason, the register part works fine, and it is inserting correctly. Yet, the login part is not working, as whenever I call the $queryrun(mysql_query($query)) on the SELECT * FROM, it does not work.
<?php
require('includes/dbconnect.php');
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$password = md5($password);
$logemail = $_POST['logemail'];
$logpassword = $_POST['logpassword'];
$logpassword = md5($logpassword);
// Register Script
if (isset($firstname) && !empty($firstname) && !empty($lastname) && !empty($email) && !empty($password)) {
$query = "INSERT INTO users VALUES('', '$firstname', '$lastname', '$email', '', 'm', '9', '$password', 'bio'";
$queryrun = mysql_query($query);
} else {
echo 'Please fill out all of the form fields';
}
// Login Script
if (!empty($logemail) && !empty($logpassword)){
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";
$queryrun = mysql_query($query);
while ($row = mysql_fetch_assoc($queryrun)) {
$logemail = $row['logemail'];
}
echo $logemail;
$numrows = mysql_num_rows($query);
if ($numrows > 0){
echo 'User exists';
} else {
echo 'User does not exist';
}
} else {
}
?>
<html>
<head>
<title></title>
</head>
<body>
<form action="index.php" method="POST">
Firstname: <input type="text" name="firstname" /><br />
Lastname: <input type="text" name="lastname" /><Br />
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" value="Submit" />
</form>
<br /><hr />
<br />
Login:<br />
<form action="index.php" method="POST">
Email:<input type="text" name="logemail" /><br />
Password: <input type="password" name="logpassword" /><br />
<input type="submit" value="Log in" /><br />
</form>
</body>
</html>
The connection to the database is fine because the register part code works, it's just the login code is returning nothing and saying that the user does note exist, when the user actually does exist
Your form field is $logemail while your mysql statement uses $email.
To get this working looks like you want:
$query = "SELECT * FROM users WHERE email = '$logemail' AND password = '$logpassword'";
But as John Conde mentions there are significant security issues.
What version of PHP are you using? This extension is deprecated as of PHP 5.5.0, you really should be using mysqli or PDO.
also
if (!empty($logemail) && !empty($logpassword)){
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";
you are checking for $logemail and $logpassword but putting $email and $password in the query string... also use {} in your strings for php variables. it helps keep string concatenation from getting confusing and you can use associated arrays in the string
echo "This is my string and this is the number {$number}. this is the value in my array: {$arrayvar["something"]}.";