Trouble with PHP form submission

Question

I am trying to create a form using HTML, PHP and MYSQL. I have most of the code worked out but whenever I send a POST to my database to check if the username / password is in the DATABASE it sends me to a blank page. I am not entirely sure why. Any suggestions?

</head>    
<body>
<section id="loginBox">
<h2>Login</h2>
    <form method="post" class="minimal" action="connect.php">
        <label for="username">
            Username:
            <input type="text" name="username" id="username" 
       placeholder="Username must be between 8 and 20 characters" required="required" />
    </label>
    <label for="password">
        Password:
        <input type="password" name="password" id="password" required="required" />
    </label>
    <input type="submit" class="btn-minimal" value="Log-in">Sign in</input>
</form>
</section>
 </body> 
</html>

Then here is the php code I think something is going wrong in my SignIn method

<?php
define('DB_HOST', 'localhost');
define('DB_NAME', 'secure_login');
define('DB_USER', 'blahblah');
define('DB_PASSWORD', 'blah');

$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) 
  or die("Failed to connect to MySQL: " . mysql_error()); 

$db=mysql_select_db(DB_NAME,$con) or die("Failed 
to connect to MySQL: " . mysql_error());

/* $ID = $_POST['user']; 
   $Password = $_POST['pass']; 
*/

    function SignIn(){
        session_start();

       if(!empty($_POST['user'])){
         $query = mysql_query("SELECT * FROM UserName where = '$_POST[user]'
          AND pass =  '$_POST[pass]'") or die(mysql_error());

        $row = mysql_fetch_array($query) or die(mysql_error());
        if(!empty($row['userName']) AND !empty($row['pass'])){
            $_SESSION['userName'] = $row['pass'];
            header("Location: index.html");
            echo "Sucessfuly login";
        }
        else{
            echo "sorry failed";
        }
     }
  }

if(isset($_POST['submit'])){
  SignIn();
}

?>

Just a quick note I want to make before I finish reading this: you should really note store the mysql password as a constant. — Jhecht, Aug 11 '14 at 03:02
Because SQL Injection can happen, and if it does a simple loop can make it so that they display any constants or variables. SEt it into a variable, once the connection is done, unset it. — Jhecht, Aug 11 '14 at 03:07
You are checking `if(isset($_POST['submit'])){` but your submit button - `Sign in` - does not have a name attribute `name="submit"` and is invalid sytax (does not take closing tag ``. So you never enter your if. Try using `` — Sean, Aug 11 '14 at 03:24
Your query also has sytnax error -> `"SELECT * FROM UserName where = '$_POST[user]' AND pass = '$_POST[pass]'"`. You are missing your `userName` column name -> `"SELECT * FROM UserName WHERE userName = '$_POST[user]' AND pass = '$_POST[pass]'"` — Sean, Aug 11 '14 at 03:49
the problem is with this line $row = mysql_fetch_array($sql) or die(mysql_error()); — user3404290, Aug 11 '14 at 04:10
Where did `$sql` -> `... mysql_fetch_array($sql) ...` come from? you have `$query = mysql_query("SELECT ...`. so it should be `$row = mysql_fetch_array($query) or die(mysql_error());` — Sean, Aug 11 '14 at 04:15
If you are still having issues you should update your question with your changes and what is still not working. It is difficult to debug from some random, incomplete comments — Sean, Aug 11 '14 at 04:21

score 0 · Answer 1 · answered Aug 11 '14 at 03:17

0

There are some fundamental issues with the way you have done this. But, it is what it is as they say. The blank page means that something failed, but it was not outputted to the browser.

Even though you have or die(mysql_error() you may not be seeing it because error reporting is not enabled. Add error_reporting(E_ALL); to the top of your PHP script and it should reveal where the issue is.

answered Aug 11 '14 at 03:17

EternalHour

8,308
6
38
57

I added that to the top of my php script and no errors where reported – user3404290 Aug 11 '14 at 03:22
Comment this out `/*header("Location: index.html");*/` so you are staying on the same page. – EternalHour Aug 11 '14 at 03:24
No I dont have any other scripts running. It just redirects me to an empty page. – user3404290 Aug 11 '14 at 03:27
Also, you will never see this `echo "Sucessfuly login";` because you are redirecting just before it. – EternalHour Aug 11 '14 at 03:30
Yeah I saw that I was just trying to see if I could even redirect the page – user3404290 Aug 11 '14 at 03:31

score -1 · Answer 2 · answered Aug 11 '14 at 03:06

-1

Your problem is more than likely here:

 $query = mysql_query("SELECT * FROM UserName where = '$_POST[user]'
          AND pass =  '$_POST[pass]'") or die(mysql_error());

It should read:

$sql = "SELECT * FROM users_table WHERE UserName = \"".$_POST['user']."\" AND pass = \"".$_POST['pass']."\"";

Your passwords shouldn't be stored as plain text; you need to hash them in some form. That's a suggestion, but a strong, strong suggestion. You should aslo be more careful than either of us in this example to make sure that SQL Injection isn't a problem by checking magic quotes etc.

answered Aug 11 '14 at 03:06

Jhecht

4,407
1
26
44

hmm I tried fixing that line I am still getting the same problem. I am aware the of SQL injection problems that can arise. I am just trying to get the basics down first. I am running this on an apache server I thought mod security would take care of some of this for me? – user3404290 Aug 11 '14 at 03:15
You can never be too sure. At the top of your page, just to make sure we're seeing any errors, put `error_reporting(E_ALL);` – Jhecht Aug 11 '14 at 03:16
Then, as the other answer says, it's one of your die() statements. It's not outputting an error. If you have phpmyadmin, login to it and try the query with real values that you type in to make sure the SQL server isn't freaking out. – Jhecht Aug 11 '14 at 03:44
set `ini_set('display_errors','1')` below the error_reporting line. you should be getting some kind of output. – Jhecht Aug 11 '14 at 03:45
1

thanks so much guys! it was my query statements. Sorry for being dumb. I am new to PHP, and SQL trying to learn. You guys were talking about dealing with SQL injections do you have any tips on how I can improve the security of my login? – user3404290 Aug 11 '14 at 03:59
How can I prevent SQL-injection in PHP?-> http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Sean Aug 11 '14 at 04:04
Everybody has a dumb phase in learning. That's why it is learning – Jhecht Aug 11 '14 at 04:04
actually sorry there is still a problem with this line – user3404290 Aug 11 '14 at 04:08
$row = mysql_fetch_array($sql) or die(mysql_error()); – user3404290 Aug 11 '14 at 04:11

Trouble with PHP form submission

2 Answers2