-3

After hitting 'log-in' in a simple login.php, it outputs an 'Object Not Found' and having the link 'localhost/post?username=asd&password=asd&Submit=Log+In'. Can anyone help me find out what's wrong?

Here's the coding to the initial page login.php

<!DOCTYPE html>
<html>

<?php $error=""; //sets the error var to empty?>

<head></head>

<body>

<form name="form1" method="check_login.php" action="post">
    Username <input name="username" type="text" id = "username" placeholder="Username">
    <br><br>
    Password <input name="password" type="password" id = "password" placeholder="********">
    <br><br>
    <input name="Submit" type="submit" value="Log In">
    <br><br>
</form>

</body>

</html>

Here's check_login.php

<?php

    //sets the host/username/password/database name into variables
    $host = "localhost";
    $user = "root";
    $pass = "enterpasshere";
    $myDB = "abc";
    $error = "";

    if (empty($_POST['username']) || empty($_POST['password'])) {
        $error = "Username or Password is invalid"; 
    } 
        else 
    {   
        $username = $_POST['username'];     //gets the username input
        $password = $_POST['password']; //gets the password input

        $connection = mysql_connect($host, $user, $pass); //connects to the database
        mysql_select_db($myDB); //selects the database

        $result = mysql_num_rows(mysql_query("SELECT * FROM user WHERE username='$username' AND password='$password'")); //performs the query and gets the number of rows

        if($result == 1){ //if the query was right
            header("location: home.php");//Redirecting to other page
        } else {
            $error = "Wrong username or password";
        }

        mysql_close(); //Make sure to close out the database connection
    }

?>

I used to have the form's action as ?php ($_SERVER["PHP_SELF"]);? and the code in the check_login.php inside login.php but I had the problem with error printing so I thought I'll just do this.

Hopeless Noob
  • 63
  • 1
  • 1
  • 6
  • 1
    your action and method are backwards. method is post or get, action is the path to the controller. – Ohgodwhy Oct 26 '14 at 20:34
  • 1
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Oct 26 '14 at 20:40
  • 1
    You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Oct 26 '14 at 20:40
  • I'm coding just the basic login page. As in I only coded the check if user/pass is invalid. I'm going to code the security part after I actually make things work. But thanks for the additional resources and I'm going to change the mysql_* ASAP. – Hopeless Noob Oct 26 '14 at 20:48

1 Answers1

1

Your action and method are backwards. method is post or get, action is the path to the controller

<form name="form1" method="check_login.php" action="post">

Should be:

<form name="form1" action="check_login.php" method="post">

You get localhost/post?username=asd&password=asd&Submit=Log+In because the form submits to post, and assumes a get because the method is invalid, and therefore appends the form values to the query string of the URL.

Ohgodwhy
  • 49,779
  • 11
  • 80
  • 110