Php Session and post problems in login page

Question

Ok, so we got some basic HTML here

<form action="main_login.php" method="post" style="text-align:right;">
    Username:   
    <input type="text" name="username" value="" size=20  style="display:inline-block;margin-left:10px"required>
    <br> 
    Password:  
    <input type="password" name="password" value="" size=20 style="margin-left:12px"required> 
    <br>  
    <input type="submit" value="Log In" style="margin-left:75px"=> 
</form>

And 2 php files the main login.php

<?php
    session_start();
    $con = mysqli_connect("localhost", "root", "", "complaints"); 
    if (!$con) { 
        die('Could not connect: ' . mysql_error()); 
    } 
    $myusername=$_POST["username"];
    $mypassword=$_POST["password"];
    echo $myusername . "<br>";  
    echo $mypassword . "<br>";



    // MySQL injection 
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    $sql="SELECT * FROM register WHERE username='$myusername' and password='$mypassword'";
    $result=mysqli_query($con,$sql);
    // Mysql_num_row is counting table row
    $count=mysqli_num_rows($result);
    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1){
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    $_SESSION['username']=$myusername;
    $_SESSION['password']=$mypassword;
    header("location:login_success.php");
    }
    else {
    echo "Wrong Username or Password";
    }
    mysqli_close($con);
?>

If login succeeds its redirecting here login.php

<?php
    session_start();
    if ( isset( $_SESSION['username'] ) ){
    header("location:main_login.php");
    }
?>

<html>
<body>
    Login Successful
</body>
</html>

Ok, so, im new in php and dont know much about sessions. First i used session_register and session_is_registered but as i found out these functions are not used anymore. so i converted to sessions but my problem keeps appearing here

$myusername=$_POST["username"];
$mypassword=$_POST["password"];

I cant use the $_POST to get the data from the form. Also i dont know if i have placed correctly the session functions.

Edit: Username and password names in html are the same which are used in php, i just misstyped here.

You mix mysqli_ functions and mysql_ functions. mysql_ is deprecated — bksi, Dec 23 '14 at 19:51
Try to group you sanitization to make it less confusing. For example $username = stripslashes(mysqli_real_escape_string($_POST['username'])); — Script47, Dec 23 '14 at 19:55
@vp_arth I know, but he is using it, so I was simply stating to group all the functions when cleaning input, so I grouped everything which he used. — Script47, Dec 23 '14 at 19:57
As per your edit, you're still mixing MySQL APIs, something I've noted in my answer below. — Funk Forty Niner, Dec 23 '14 at 19:58

score 4 · Accepted Answer · edited May 23 '17 at 12:00

Edit: Username and password names in html are the same which are used in php, i just misstyped here.

Edit: Ok, so you've made a typo in the form fields. You're still mixing MySQL APIs, see further down below about the mixing function using mysql_real_escape_string().

~~Look at name="myusername" and your POST assignment, along with the one for your password.~~

They don't match.

Change name="myusername" to name="username"

and name="mypassword" to name="password"

as per

$myusername=$_POST["username"];
$mypassword=$_POST["password"];

Having used error reporting, would have signaled an undefined index and an headers already sent warning; see below.

You also have spaces before <?php which would cause an output before header. Remove them.

Plus, you're mixing MySQL APIs with mysql_error(). mysql_error() should read as mysqli_error($con) and this below:

$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

which should read as

$myusername = mysqli_real_escape_string($con,$myusername);
$mypassword = mysqli_real_escape_string($con,$mypassword);

or

$myusername = mysqli_real_escape_string($con,$_POST['username']);
$mypassword = mysqli_real_escape_string($con,$_POST['password']);

mysqli_ and mysql_ functions do not intermix together.

Regarding security

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Plus, in regards to SQL injection, use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Footnotes

It is best to add exit; after each header.

header("location:login_success.php");
exit;

and for all headers.

Edit:

Remove

$myusername=$_POST["username"];
$mypassword=$_POST["password"];
echo $myusername . "<br>";  
echo $mypassword . "<br>";

then replace it with:

$myusername = stripslashes($_POST["username"]);
$mypassword = stripslashes($_POST["password"]);
$myusername = mysqli_real_escape_string($con,$_POST['username']);
$mypassword = mysqli_real_escape_string($con,$_POST['password']);

Edit #2:

This is what I tested your code with, and got success, therefore I don't know what is wrong with your present code.

HTML FORM

<form action="main_login.php" method="post" style="text-align:right;">
    Username:   
    <input type="text" name="username" value="" size=20  style="display:inline-block;margin-left:10px"required>
    <br> 
    Password:  
    <input type="text" name="password" value="" size=20 style="margin-left:12px"required> 
    <br>  
    <input type="submit" value="Log In" style="margin-left:75px"=> 
</form>

MySQL

<?php

    $DB_HOST = 'xxx';
    $DB_USER = 'xxx';
    $DB_PASS = 'xxx';
    $DB_NAME = 'xxx';

    $conn = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
    if($conn->connect_errno > 0) {
      die('Connection failed [' . $conn->connect_error . ']');
    }

    $myusername = stripslashes($_POST["username"]);
    $mypassword = stripslashes($_POST["password"]);
    $myusername = mysqli_real_escape_string($conn,$_POST['username']);
    $mypassword = mysqli_real_escape_string($conn,$_POST['password']);


    echo $myusername; // echos
    echo "<br>";
    echo $mypassword; // echos


    $sql="SELECT * FROM register WHERE username='$myusername' and password='$mypassword'";
    $result=mysqli_query($conn,$sql);

    $count=mysqli_num_rows($result);

    if($count==1){
        echo "Yep";
    }
    else{
        echo "nope";
    }

N.B.: You should also clear out your sessions (destroy sessions), there could be something on the server caching old usernames and passwords.

Also make sure there are no spaces in your columns, that the types are correct and the lengths are long enough to hold the data. Usually VARCHAR(255) is more than enough, but is suggested when using hashed passwords generated by password_hash(), a function which you should be using when storing passwords.

See also:

What is the difference between session_unset() and session_destroy() in PHP?

on Stack.

@Fred-ii- i made all the changes you said, but its the same output. i get Notice: Undefined index: username Notice: Undefined index: password — DominusMors, Dec 23 '14 at 20:02
You might want to add that using plain-text passwords **and** storing them in session variables is not the best of ideas :-) — jeroen, Dec 23 '14 at 20:02
@jeroen Good idea thanks, I'll get to it just as soon as I clear up OP's undefined index(es). — Funk Forty Niner, Dec 23 '14 at 20:03
@DominusMors Change `$myusername = mysqli_real_escape_string($con,$myusername);` to `$myusername = mysqli_real_escape_string($con,$_POST['username']);` and do the same for the password one. Make sure also that nothing in cache memory and that you uploaded/reloaded the files. — Funk Forty Niner, Dec 23 '14 at 20:04
@Fred-ii- Ok i just changed the 2 lines you said and it does the same thing. it outputs the $_POST lines as undefined index and the $myusername = mysqli_real_escape_string($con,$_POST['username']); — DominusMors, Dec 23 '14 at 20:16
@DominusMors I can't see how it would fail. Did you upload and reload the HTML form? Make sure nothing's in cache that would still be using the old `name="myusername"` and `name="mypassword"` as you previously had. — Funk Forty Niner, Dec 23 '14 at 20:22
@DominusMors Reload my answer also, and look near the bottom under **Edit**. Also try removing both `value=""` in your form. — Funk Forty Niner, Dec 23 '14 at 20:27
@Fred-ii- The Html form has not been edited. Its username and password. Another thing i noticed and its confusing is that when i put a correct username and a wrong password on the form, i get no errors, and the message "Wrong Username or Password". When i put the correct password i get the undefined index errors as well as the same error, "Wrong Username or Password". Dont know if it helps — DominusMors, Dec 23 '14 at 20:30
@DominusMors I tested your code in conjunction with my answer, and was successful. So, I don't know what else to tell you, other than make sure you're using the correct files. — Funk Forty Niner, Dec 23 '14 at 20:36
@DominusMors Reload my answer under **Edit #2**. Other than that, you will need to further investigate. There's nothing more I can do that will be of further help. Also clear your sessions; there could be something in your server's cache. Make sure your column names are correctly named. — Funk Forty Niner, Dec 23 '14 at 20:42
@Fred-ii- This might be a stupid question, but how do i clear sessions? Im gonna make new files and check the code thoroughly. Thanks for the help. — DominusMors, Dec 23 '14 at 20:49
`session_destroy();` http://php.net/manual/en/function.session-destroy.php plus, another thing. Make sure your columns are the right type VARCHAR and are long enough in length. Usually I do VARCHAR(255) just to be sure. And you're welcome. I'd sure like to see the light at the end of the tunnel :-)) @DominusMors see also http://stackoverflow.com/questions/4303311/what-is-the-difference-between-session-unset-and-session-destroy-in-php — Funk Forty Niner, Dec 23 '14 at 20:51
@Fred-ii- Yeah, despite all your effort your last comment was the solution. i had set everything at the table VARCHAR(20) cause i wasnt sure about the length. :) Again, thanks for your time, you were awesome. — DominusMors, Dec 23 '14 at 20:59
@DominusMors That's the 3rd one in 2 days that someone's column length wasn't long enough. Glad to see that we've found the light at the end of the tunnel! Thanks for the update and was happy to have been of help; and quite welcome. *Cheers* — Funk Forty Niner, Dec 23 '14 at 21:04

score 1 · Answer 2 · answered Dec 23 '14 at 19:51

1

   <?php
session_start();

First of all there is a space at the beginning.

It should be

<?php session_start();

answered Dec 23 '14 at 19:51

Ahmad Sharif

4,141
5
37
49

There is no any problem in your first code statements. Both of them you wrote will do the same work. – Choxx Apr 15 '15 at 14:16

Choxx · Answer 3 · 2017-09-04T15:38:00.307

the session problems for login page might occur because the url you are opening in the browser are not unique. for example If say you are creating a login page for your website, and you have created sessions successfully. Now, if you are logging in from url say http://geekzgarage.com then your session is limited to this url only. If you again open the above url like http://www.geekzgarage.com (note www. in both urls), then you will see that you are not logged in. So make sure that your webpage is opening always in single type of url. either with www. or without www.

Php Session and post problems in login page

3 Answers3

Linked