2

So I have a Login and a Create account form. The create account system works perfectly, sending all the information to mySQL database.

Now, I have written a 'login_user.php' script, which connects to the database, fetches the values of a registered user, and outputs the correct message according to correct or incorrect user input. It looks like the operation runs through the whole code and outputs the last message 'Invalid username or password' every single time, even when there is no input, or wrong username/passwords entered. Below I will provide all of my login form php code. Can you spot any mistakes? Please let me know if you would like a reference to a specific part of the html code.

<?php

$username = $_POST['username'];
$password = $_POST['password'];

if ($username && $password) {

    $con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error());
    $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error());

    $query = mysql_query("SELECT * FROM Client_Information WHERE username='$username'");
    $numrows = mysql_num_rows($query);

    if($numrows != 0){

        while($row = mysql_fetch_assoc($query)){

            $dbusername = $row['username'];
            $dbpassword = $row['password'];
        }

        if($username==$dbusername){
            if($password==$dbpassword){

                echo "You are logged in.";

            }else{
                echo "Invalid password.";
            }

        }else{
            echo "Invalid username.";
        }

    }else{
        echo "This name does not exist.";
    }

}else{
    echo "Invalid username or password.";
}

?>

HTML CODE:

<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="chrome=1,IE=edge" />
    <title>LOGIN</title>
    <link href='http://fonts.googleapis.com/css?family=Montserrat:400,700' rel='stylesheet' type='text/css'>
</head>
<body>
    <div class="logo"></div>
    <div class="login-block">
        <h1>Log In</h1>
        <form action="login_check.php" method="post">
            <input type="text" value="" placeholder="Username" id="username" name="username" />
            <input type="password" value="" placeholder="Password" id="password" name="password" />
            <button>Log In</button>
            <a href="url">Sign Up for New Account?</a>
        </form>
    </div>
    </div>
</body>
</html>
Filip Grebowski
  • 391
  • 5
  • 22
  • 1
    Can you include your HTML code? – BryanLavinParmenter Dec 16 '15 at 22:42
  • 4
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Dec 16 '15 at 22:43
  • 5
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Dec 16 '15 at 22:43
  • 3
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Dec 16 '15 at 22:43
  • Prevent warnings directly accessing post variables: http://stackoverflow.com/questions/3901709/avoid-using-isset-in-php-when-accessing-post-get-and-other-variables – Sam Segers Dec 16 '15 at 22:45
  • Have you tried removing the empty value attributes? Even if it doesn't fix the problem, they are completely unnecessary – DJC Dec 16 '15 at 23:23

1 Answers1

0

When using $_POST for PHP, you have to reference the input's name attribute, not its id attribute.

<input type="text" value="" placeholder="Username" id="name" name="name" />
<input type="password" value="" placeholder="Password" id="password" name="password" />
BryanLavinParmenter
  • 416
  • 1
  • 8
  • 20
  • Yes, you are correct, I have missed that out! Unfortunately, it doesn't fix the problem.. :/ – Filip Grebowski Dec 16 '15 at 22:53
  • You gave your `input type='text'` input a name of `username` in the HTML, but in your PHP, you're checking `$_POST['name']`. They need to match. Either change the name of the input field to `name` or change the PHP variable to `$_POST['username']`. – BryanLavinParmenter Dec 16 '15 at 22:56
  • Right, I see. So I changed all of that now, tested the code and now if I do click 'Log In', it says that the request URL was not found on this server. I also tried opening the `login_check.php` and it looks like the code just prints "Invalid username or password.". I'm struggling to see what could be wrong. – Filip Grebowski Dec 16 '15 at 23:09
  • Check the URL that you go to when you submit the form and check your file directory to make sure that they match up. And it makes since that `login_check.php` will return that when you access it manually, since there is no information in either `$username` or `$password`. – BryanLavinParmenter Dec 16 '15 at 23:13