0

I am trying to get the php/mysql to work so that it will take the username and password from a form and check if they are in the mysql table. If they are in the table it should log you in and send you to the index.php page(I changed the user/pass/database)

The form on the login page:

    <form action="db_connect.php" method="post">
    <input type="text" name="username" placeholder="Username" />
    <input type="password" name="password" placeholder="Password" />
    <input type="submit" value="Login" class="customButton" />
    </form>

The db_connect.php:

    <?php 
    $username = $_POST['username'];
    $password = $_POST['password'];
    $con = new mysqli_connect("localhost","user","password","database");
    $query = mysqli_query($con,"SELECT * FROM members WHERE username='".$username."' AND password='".$password."'");
    if (mysqli_num_rows($query) != 0){
        $_SESSION['logged_in'] = true;
        header('Location: index.php');
    }else{
        echo "Access denied";
    }
?>
aynber
  • 22,380
  • 8
  • 50
  • 63
  • Try `if (mysqli_num_rows($query) > 0){` – Funk Forty Niner May 26 '14 at 23:09
  • 1
    Plus, you also have a missing closing `` tag, so that could be part of the problem. You're storing passwords in plain text, which is not recommended. Add error reporting to the top of your file(s) `error_reporting(E_ALL); ini_set('display_errors', 1);` during development. – Funk Forty Niner May 26 '14 at 23:10
  • Are you getting errors? – DavidG May 26 '14 at 23:11
  • it also helps to provide the error you are receiving in your question – AssemblyX May 26 '14 at 23:11
  • Well to begin with, it seems that you are not even checking for password... – Mikk May 26 '14 at 23:14
  • 2
    does the `new` keyword is necessary with `mysqli_connect()`? – Alon Eitan May 26 '14 at 23:14
  • 1
    @Alon No it's not needed – DavidG May 26 '14 at 23:16
  • @Mikk Yes he is, there is a password in the connection function – DavidG May 26 '14 at 23:17
  • Thanks for all the replies. I accidentally cropped out the closing form tag but its there. I tried changing it to if (mysqli_num_rows($query) > 0){ and it did the same thing. Currently I am not getting any errors... just a blank white screen. –  May 26 '14 at 23:22
  • @DavidG I meant this line: $password = $_POST['password']; This variable is not used, so script is currently logging in any user regardless of password. – Mikk May 26 '14 at 23:22
  • 2
    Sidenote: Since you're using sessions `$_SESSION['logged_in']` - `session_start();` isn't shown in your code. Therefore, session will never be `true`. – Funk Forty Niner May 26 '14 at 23:24
  • You must escape your input variables to save from mysql injection using mysqli_real_escape_string – Riq May 26 '14 at 23:25
  • session_start(); is included at the top of the form file as well as some checks to see if you are already logged in. The form page seems to be working fine... its the mysql in the db_connect.php page that I believe is broken –  May 26 '14 at 23:27
  • *"`session_start();` is included at the top of the form file"* --- 9 times out of 10 it always is; it's just never shown. (I asked and it bit me, again). – Funk Forty Niner May 26 '14 at 23:29

3 Answers3

0

My thoughts:

Your query can be 

$query = mysqli_query($con,"SELECT * FROM members WHERE username = '$username'");

to avoid ' ' mistakes.

Use session_start() before managing sessions

Also, try typing this query on your Database Tool (eg. Phpmyadmin, HeidiSQL etc..) and see if any results come out.

If it does you can try using PDO objects for creating connection with the database.

Do you get "Acess denied" when submitting the form or PHP dump log?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Frederico
  • 91
  • 5
  • No I am not getting the "Access denied" message or any sort of feedback at all. After submitting the form and being directed to the db_connect page it just turns blank and nothing happens. –  May 26 '14 at 23:34
  • Also, I tried typing the query into mysql (SELECT * FROM members WHERE username="" AND password="";) and it came up with the right row. –  May 26 '14 at 23:35
  • Use or die("error message") after the mysqli_connect object. So we can see if it's the connection – Frederico May 26 '14 at 23:46
0

This code should work for you.

Login page:

<form action="db_connect.php" method="POST">
<input type="text" name="username" placeholder="Username" />
<input type="password" name="password" placeholder="Password" />
<input type="submit" value="Login" class="customButton" />
</form>

In the PHP file, we are starting a new session initially & then reporting all the errors if generated.Then we are escaping the input strings to avoid injection.Then we are checking whether the username & password sent via $_POST is set or not. Then checking the input values with our database and finally redirecting the user to his personalized index.php

db_connect.php

<?php
session_start();
error_reporting(E_ALL); ini_set('display_errors', 1);
$con = mysqli_connect("localhost","user","password","database");
$username = $_POST['username'];
$password = $_POST['password'];
$username = mysqli_real_escape_string($con, $username);
$password = mysqli_real_escape_string($con, $password);
if(isset($username) && isset($password)){

$query = mysqli_query($con,"SELECT * FROM members WHERE username='".$username."' AND password='".$password."'");
if (mysqli_num_rows($query) > 0){
    $_SESSION['logged_in'] = $user;
    header("location: index.php");
}else{
    echo "Access denied";
} } else { header("location: login.php"); }
?>
Riq
  • 182
  • 1
  • 2
  • 17
  • Now it is showing an error: "Fatal error: Call to undefined function mysqli_real_escape_string()" –  May 26 '14 at 23:52
  • @user3677859 Ohhh Sorry!!! Check my updated answer. Let me know if you can get the solution or not – Riq May 26 '14 at 23:54
  • Now it says:"Fatal error: Class 'mysqli_connect' not found in /var/www/html/db_connect.php on line 4" –  May 26 '14 at 23:57
  • @user3677859 Try $con = mysqli_connect("localhost", "your_db_username", "your_db_password", "your_db"); Remove new because new is Object oriented Style usage. – Riq May 27 '14 at 00:03
  • Thank you for helping... It is still giving the same error. Php doesnt seem to want to work with mysql. As soon as it reaches a mysql function it gives an error. –  May 27 '14 at 00:07
  • @user3677859 You need to install MySQLi. See this http://stackoverflow.com/questions/666811/fatal-error-class-mysqli-not-found – Riq May 27 '14 at 00:12
  • That was the problem. After searching for a while I found out that I needed to install "php-mysql". I restarted apache and mysql and now it is working! Thank you! –  May 27 '14 at 00:42
0

Step #1

Turn on error reporting to assist with the debugging of this issue.

<?php 
error_reporting(E_ALL);
ini_set('display_errrors', 1);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
?>

Step #2

Sanatize any AND all user input. Since you are using mysqli(), you'd be using something like mysqli_real_escape_string().

Now there is one clear mistake straight off the bat, as Fred -ii- stated; since you are dealing with sessions, you'd need to instantiate it first.

An example of that would be putting something like this for your login script.

<?php 
    session_start();
?>

Now the second error is that you're treating/ trying to instantiate mysqli_connect() as a class, which is is not. Your login code should look something like this:

<?php

session_start();

$con = mysqli_connect("localhost", "user", "password", "database") or die(mysqli_error($con));

$username = $_POST['username'];
$password = $_POST['password'];
$username = mysqli_real_escape_string($con, $username);
$password = mysqli_real_escape_string($con, $password);
if (isset($username) && isset($password)) {

    $query = mysqli_query($con, "SELECT * FROM members WHERE username='" . $username . "' AND password='" . $password . "'");
    if (mysqli_num_rows($query) > 0) {
        $_SESSION['logged_in'] = true;
        header("location: index.php");
    } else {
        echo "Access denied";
    }
}
?>

Needless to say that your index.php will need session_start() at the top of it to ensure you can check $_SESSION['logged_in'] like:

<?php 
session_start();
if(!$_SESSION['logged_in']) {
    die('login.php');
}
?>
Community
  • 1
  • 1
Darren
  • 13,050
  • 4
  • 41
  • 79