I'm creating a login form which connects to my database (all through localhost, mysql, phpmyadmin). And I am having a problem when it comes to logging in.
When I login it asks for my username and password, if I give the username within the database and any random password - it still logs me in. However if I put in any random username it will not.
I've had a look online, through my php and I'm struggling! (I've been looking over it for hours, I'm going googly-eyed.
Appreciate any help. Thanks.
This is my login.php code:
<?php
if ($username && $userid){
echo "You are already logged in as <b>$username</b>. <a href='admin.php'> Click here </a>";
} else {
$form= "<form action='login.php' method='POST'>
<table>
<tr>
<td> Username: </td>
<td><input type='text' name='user' /></td>
</tr>
<tr>
<td> Password: </td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td> </td>
<td><input type='submit' name='loginbtn' value='login' /></td>
</tr>
</table>
</form>";
if ($_POST['loginbtn']) {
$user= $_POST['user'];
$password = $_POST['password'];
if ($user) {
if ($password) {
require ("connect.php");
$password= ('password');
echo "$password";
$query = mysql_query("SELECT * FROM users WHERE username='$user'");
$numrows = mysql_num_rows($query);
if ($numrows ==1) {
$row= mysql_fetch_assoc($query);
$dbid = $row['id'];
$dbuser = $row['username'];
$dbpass = $row['password'];
$dbactive = $row['active'];
if ($password == $dbpass) {
if ($dbactive == 1) {
$_SESSION['userid']= $dbid;
$_SESSION['username'] = $dbuser;
echo "You have been logged in as <i> $dbuser </i>. Click <a href='admin.php'> here </a> to go to the members page.";
} else {
echo "You must activate your account to login. $form";
}
} else {
echo "You did not enter the correct password. $form";
}
} else {
echo "the username you entered was not found. $form";
}
mysql_close();
} else {
echo "You must enter your password. $form";
}
} else {
echo "You must enter your username. $form";
}
} else {
echo $form;
}
?>