-2

I am new to PHP. I am trying to log in but it always gives me the following message:

'Invalid user name or password, Try again'.

Please if anyone could help me , I would greatly appreciate it. 

<?php

$errors = array(
    1=>"Invalid user name or password, Try again",
    2=>"Please login to access this area"
);

$error_id = isset($_GET['err']) ? (int)$_GET['err'] : 0;

if ($error_id == 1) {
    echo '<p class="text-danger">'.$errors[$error_id].'</p>';
} elseif ($error_id == 2) {
    echo '<p class="text-danger">'.$errors[$error_id].'</p>';
}
?>
<h2 id="loginfont">Login Page</h2>
<br/><br/>
<fieldset style="font-family: Arial; background-color: lightblue; color: rgb(0,0,100)">
<legend style="font-variant: small-caps; font-weight:bold"> Login Form </legend>
<form name="LoginForm" method="POST" action="authenticate.php">
<label style="position: relative; line-height: 2; margin: 10px 0px"> Username: <input placeholder="Type K-number" style="position: absolute; margin-left: 20px; width: 15am; left: 80px" type="text" name="username" /> <span style="color: red">*</span> </label> <br/>
<label style="position: relative; line-height: 2; margin: 10px 0px"> Password: <input type="password" placeholder="Type Password" style="position: absolute; margin-left: 20px; width: 15am; left: 80px" type="text" name="password" /> <span style="color: red">*</span> </label> <br/>
<input type="submit" value="Login" /> <input type="reset" />
</fieldset>
</form>

Here is my authenticate.php code:

    <?php 
        require 'database.php';

        session_start();

        $username = "";
        $pass = "";

        if(isset($_POST['username'])){
            $username = $_POST['username'];
        }
        if (isset($_POST['password'])) {
            $password = $_POST['password'];

        }

        echo $username ." : ".$password;

        $q = 'SELECT * FROM username WHERE username=:username AND password=:password';

        $query = $db->prepare($q);

        $query->execute(array(':username' => $username, ':password' => $password));


        if($query->rowCount() == 0){
            header('Location: index.php?err=1');
        }else{

            $row = $query->fetch(PDO::FETCH_ASSOC);

            session_regenerate_id();
            $_SESSION['sess_user_id'] = $row['id'];
            $_SESSION['sess_username'] = $row['username'];
            $_SESSION['sess_userrole'] = $row['role'];

            echo $_SESSION['sess_userrole'];
            session_write_close();

            if( $_SESSION['sess_userrole'] == "0"){
                header('Location: adminpage.php');
            }else{
                header('Location: studentpage.php');
            }               
        }
    ?>
bcesars
  • 1,016
  • 1
  • 17
  • 36
Hollywood
  • 175
  • 1
  • 2
  • 13
  • 1
    Don't redirect, add error handling / display and see if you get any messages. – jeroen Jan 19 '15 at 18:29
  • Is your password really plan text in your db? – Sean Jan 19 '15 at 18:31
  • seems like 0 results where found. are you getting any error messages? what happens when you enter query directly into mysql? – bart2puck Jan 19 '15 at 18:32
  • why do you have your `
    ` before `
    `?
     – Sean Jan 19 '15 at 18:33
  • [`PDOStatement::rowCount() returns the number of rows affected by the last DELETE, INSERT, or UPDATE statement executed by the corresponding PDOStatement object. If the last SQL statement executed by the associated PDOStatement was a SELECT statement, some databases may return the number of rows returned by that statement. However, this behaviour is not guaranteed for all databases and should not be relied on for portable applications.`](http://php.net/manual/en/pdostatement.rowcount.php) see also http://stackoverflow.com/questions/19109774/pdorowcount-vs-count – Sean Jan 19 '15 at 18:38
  • even if i dont redirect i still get the same message – Hollywood Jan 19 '15 at 18:39
  • @bart2puck no i am not getting any error messages, basically it doesn't do much other then printing out the above message 'Invalid user name or password, Try again'. – Hollywood Jan 19 '15 at 18:47
  • well, this is returning true $query->rowCount() == 0 so....is password plain text, are you forgetting to convert to some hash? does this u/p actually exist in db? – bart2puck Jan 19 '15 at 19:16

1 Answers1

-3

Try replacing query line with this:

$q = "SELECT * FROM username WHERE username='$username' AND password='$password'";

The problem might be because you're missing the single quotes around the username and password. It looks like the actual query you're generating looks like this at the moment, so it doesn't know what jsmith and hello123 are:

SELECT * FROM username WHERE username=jsmith AND password=hello123;
user3842536
  • 346
  • 1
  • 3
  • 15
  • 5
    That's a *terrible* answer. He was using a prepared statement, and you've introduced an SQL injection attack! – Paul Dixon Jan 19 '15 at 19:03
  • Well, then use mysql_real_escape_string($q); after that. – user3842536 Jan 19 '15 at 19:05
  • 2
    If that worked, then the issue may just be you need spaces between the `=:` -> `$q = 'SELECT * FROM username WHERE username = :username AND password = :password';` Do not use `... username='$username' AND password='$password'"` that was suggested in this answer, as that opens you to sql injection, that was avoided when you used prepared statement/parameters. – Sean Jan 19 '15 at 19:08
  • @user3842536 you don't use `mysql_real_escape_string()` with `PDO`. you are suggestion to use the deprecated `mysql_*` functions, where the OP is using `PDO`. – Sean Jan 19 '15 at 19:09