0

I have the following code:

session_start ();
include 'core/init.php';

$username = '';
$password = '';
$dbusername = '';
$dbpassword = '';
if (isset($_POST['Email']) && isset($_POST['Password']))
{
    $username = $_POST['Email'];
    $password = md5($_POST['Password']);

    $query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");

    $numrow = mysql_num_rows ($query);
    // user login
    if ($numrow!=0)
    {
        while ($row = mysql_fetch_assoc($query))
        {
            $dbusername = $row['Email'];
            $dbpassword = $row['Password'];
        }

        //Check to see if they match
        if ($username==$dbusername&&$password==$dbpassword)
        {
            $_SESSION ['Email']=$username;
            header('Location: member.php?username='.$username);
        }
    }
    else 
    {
        // admin login
        $query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
        $numrow2 = mysql_num_rows ($query2);
        if ($numrow2!=0)
        {
            while ($row = mysql_fetch_assoc($query2))
            {
                $dbusername = $row['Email'];
                $dbpassword = $row['Password'];
            }

            //Check to see if they match
            if ($username==$dbusername&&$password==$dbpassword)
            {
                $_SESSION ['Email']=$username;
                header("Location: admin.php");
            }else{
                if (empty ($username) === true|| empty($password) === true) {
                    echo "Please enter a username and password";
                } else if ($username!=$dbusername){
                    echo "That user does not exist! Have you registered?";
                } else if ($username=$dbusername&&$password!=$dbpassword) {
                    echo "Incorrect password";
                }
            }
        }
    }
}

But if a user logs in incorrectly, none of the error messages are displaying, just a blank page, I think its my curly brackets but no matter how many times i change them i either make it worse or nothing at all. Can anyone tell me what im doing wrong?

jonhopkins
  • 3,844
  • 3
  • 27
  • 39
Lairds
  • 87
  • 4
  • 12

3 Answers3

2

Check out:

if (empty ($username) === true|| empty($password) === true) {
                echo "Please enter a username and password";
                    } else if ($username!=$dbusername){
                        echo "That user does not exist! Have you registered?";
                    } else if ($username=$dbusername&&$password!=$dbpassword) {
                            echo "Incorrect password";
                    }

            }

This section which includes login errors is found in the " admin login " section, therefore no error is seen when a non-admin user login fails.

0
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");

    if(mysql_num_rows($query) == 0){
     echo 'You have entered wrong username/password'; }else {

      // you can continue with your query below. 
0

Your select statement is already ensuring that the provided username and password match what is in the database. There is no need to do a second comparison in PHP. Your code could just be the following:

if (isset($_POST['Email']) && isset($_POST['Password']))
{
    $username = $_POST['Email'];
    $password = md5($_POST['Password']);

    $query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");

    if(mysql_num_rows($query) == 1)
    {
        $_SESSION['Email'] = $username;
        header('location: member.php?username='.$username);
    }
    else 
    {
        // try admin login
        $query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
        if(mysql_num_rows($query2) == 1)
        {
            $_SESSION['Email'] = $username;
            header("location: admin.php");
        }
        else
        {
            echo "Failed Login Attempt";
        }
    }
}

Since your query only returns records where the username and password match, there is NO way you will ever get a result back where the username matches but the password didn't, so your conditional check you do near the end of your admin login will NEVER occur.

As a side-note, it would be bad form to inform the user that the username was correct but password wasn't, or visa versa. This is a security issue and could make it easier for a malicious user to more easily gain access. This is besides the point though, so please only take this suggestion as personal advice and not directed at your question.