PHP login form works with any password, but not username?

Question

I'm creating a login form which connects to my database (all through localhost, mysql, phpmyadmin). And I am having a problem when it comes to logging in.

When I login it asks for my username and password, if I give the username within the database and any random password - it still logs me in. However if I put in any random username it will not.

I've had a look online, through my php and I'm struggling! (I've been looking over it for hours, I'm going googly-eyed.

Appreciate any help. Thanks.

This is my login.php code:

<?php

if ($username && $userid){
    echo "You are already logged in as <b>$username</b>. <a href='admin.php'> Click here </a>";
} else {
    $form= "<form action='login.php' method='POST'>
                <table>
                    <tr>
                        <td> Username: </td>
                        <td><input type='text' name='user' /></td>
                    </tr>
                    <tr>
                        <td> Password: </td>
                        <td><input type='password' name='password' /></td>
                    </tr>
                    <tr>
                        <td>  </td>
                        <td><input type='submit' name='loginbtn' value='login' /></td>
                    </tr>
                </table>
            </form>";

if ($_POST['loginbtn']) {       
    $user= $_POST['user'];
    $password = $_POST['password'];

    if ($user) { 
        if ($password) {
            require ("connect.php");

            $password= ('password');

            echo "$password";
            $query = mysql_query("SELECT * FROM users WHERE username='$user'");
            $numrows = mysql_num_rows($query);

            if ($numrows ==1) {
                $row= mysql_fetch_assoc($query);        
                $dbid = $row['id'];
                $dbuser = $row['username'];
                $dbpass = $row['password'];         
                $dbactive = $row['active'];

                if ($password == $dbpass) {
                    if ($dbactive == 1) {
                        $_SESSION['userid']= $dbid;
                        $_SESSION['username'] = $dbuser;

                        echo "You have been logged in as <i> $dbuser </i>. Click <a href='admin.php'> here </a> to go to the members page.";

                    } else {
                        echo "You must activate your account to login. $form";
                    }
                } else {
                    echo "You did not enter the correct password. $form";
                }
            } else {    
                echo "the username you entered was not found. $form";
            }

            mysql_close();
        } else {
            echo "You must enter your password. $form";
        }
    } else {
        echo "You must enter your username. $form";
    }
} else {    
    echo $form;         
}

?>

**warning** your code is extremely vulnerable to sql injection attacks! — Daniel A. White, Jan 12 '15 at 16:04
obligatory *don't use mysql_* notice : http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/12860046#12860046 — CD001, Jan 12 '15 at 16:07
You shouldn't use mysql_* functions, mysql extension is deprecated and will be removed in the future: use `mysqli` or `PDO` prepared statements instead. — Alex, Jan 12 '15 at 16:08
I was following this tutorial: https://www.youtube.com/watch?v=hAkKC8DKN9A — Coli-Eza, Jan 12 '15 at 16:19
I guess this tutorial is a little bit deprecated, it was posted in 2011. — grattmandu03, Jan 12 '15 at 16:25

score 1 · Answer 1 · answered Jan 12 '15 at 16:08

The problem is, you can write anything to the password field, later, you are hardcoded that with this code:

$password = ('password');

So if your actual password is password, then does not matter what you write it into the field.

NOTES

Do not use mysql_* functions since they are deprecated. Use mysqli or PDO instead.
Let's escape your variables comes from outside, or use prepared statements to avoid sql injection.

score 0 · Answer 2 · answered Jan 12 '15 at 16:08

Some notes:

if ($_POST['loginbtn']) => if (isset($_POST['loginbtn'])) //You should really do this to other $_POST variables as well.

$user= $_POST['user']; // Sanitize this or use prepared statements.
$password = $_POST['password']; // Encrypt this!

mysql_query("SELECT * FROM users WHERE username='$user'"); // 1. Don't use mysql_, use mysqli_. 2. Using the asterisk (*) is bad practice, you should also attach a LIMIT 1

$password= ('password'); // What are you doing this for? You are changing the value of the $password variable and that's why it's always 'password'.

echo $form; // If you are echoing it once, why store it as a variable?

To directly fix your problem, remove $password= ('password');.

PHP login form works with any password, but not username?

2 Answers2