-2

So, I am working a Username and Password entry form and whenever I insert this PHP code to connect to my MySQL database, and load my page, it gives a blank white screen. It is supposed to check against users in my database. But fails. Other PHP code work in PHP files such as "fwrite()" or "echo". Maybe it's an operator error and I just can't figure out what I'm doing wrong. Any help would be great! Thanks!

Here is my PHP code:

<?php
session_start();
    include('config.php');
    $usercheck = $_POST["username"];
    $passcheck = $_POST["password"];
    $db_query= mysql_query("SELECT * from users WHERE username ="'.$usercheck.""');
    if (mysql_num_row($db_query)== 1){
        $record = mysql_fetch_array($db_query);
        if (md5($passcheck) == $record['password']){
            $_SESSION['user']= $usercheck;
            $_SESSION['password']= $passcheck;
        }
      else
       echo "Sorry, wrong password. <br/>";
}
else
  echo "Sorry, wrong username. <br/>";

if(isset($_SESSION['user'])){
    echo "You are now logged in!";
    echo "<p><a href="index.html">HOME</a></p>";
}
else
    echo "<p color="red">An error accured trying to log you in. Please try again later.</p>";

And my config.php:

<?php
$db_con= mysql_connect("localhost","root", "password");
if(!$db_con){
    die('Could not connect to the Database:'. mysql_error());
}
mysql_select db("my_data", $db_con);
?>
Martin
  • 22,212
  • 11
  • 70
  • 132
Ryan
  • 53
  • 5
  • 11
  • First, the code in its current state has a sql injection vulnerability. – 735Tesla Jan 25 '15 at 22:09
  • I'm just trying to set up something very very simple and I will move on to security later. This is more of a test. It isn't for practical use. Yet. – Ryan Jan 25 '15 at 22:12
  • Your quotes in your query are wrong -> `"SELECT * from users WHERE username ="'.$usercheck.""'` should be `"SELECT * from users WHERE username ='".$usercheck."'"` – Sean Jan 25 '15 at 22:12
  • A blank page will mean that your PHP has died and there will be an error in your PHP log file, find out where your error log file is placed or place it manually at the top of the page see http://stackoverflow.com/questions/5127838/where-does-php-store-the-error-log . The error log file will tell you there is an error in your SQL or similar reponse. Also use `or die(mysql_error());` at the end of your SQL query to output your SQL specific error – Martin Jan 25 '15 at 22:17

2 Answers2

1

You have some trouble with quotes in your query. Try this code:

    $db_query= mysql_query("SELECT * from users WHERE username ='" . $usercheck . "'");
Joerg
  • 3,102
  • 2
  • 24
  • 30
  • I inserted the code and it still displayed white. I have have other php pages and they work like a charm. It's just any page with this code inside it. – Ryan Jan 25 '15 at 22:18
  • @ryan_melehan are you **sure** $usercheck is a valid value? – Martin Jan 25 '15 at 22:28
0

To find out why the page is white screen of empty, you need to read the PHP error log file, there are numerous posts on StackOVerflow for this, explore them.

The file will say when and why the PHP script died.

As well as this add the following to your SQL query:

add for (some) security:

$usercheck = mysql_real_escape_String($usercheck);

and your edited code:

     $db_query= mysql_query("SELECT * from users WHERE username 
='".$usercheck."'") or die(mysql_error());

which will output to browser why your SQL statement failed.

PLEASE NOTE: This is not safe and MySQL is deprecated and should no longer be used. Please explore and use MySQLi.

Also, Your statement is a mess of single and double quotes, the line coded above I have corrected the quotes and this should work. Copy and paste.

Martin
  • 22,212
  • 11
  • 70
  • 132
  • you should add `or die(...)` to each SQL query on the page, to see _which_ one fails try appending: `or die("line number: ".mysql_error());` to each one. – Martin Jan 25 '15 at 22:26
  • I looked at the php error logs and found an error with the $usercheck variable. The username properties in my database is set to varchar for username. – Ryan Jan 25 '15 at 22:36
  • be very careful, your code as presented means that the `$usercheck` variable can be anything and can easily hijack your SQL. I have updated my answer to include `mysql_real_Escape_string` – Martin Jan 25 '15 at 22:39
  • I fixed the issues that kept occurring. A new on just popes up in the config.php. It said that there was an unexpected 'db' (T_STRING) in config.php. – Ryan Jan 25 '15 at 23:40
  • that sounds like you've missed the `$` off the front of the variable somewhere in config.php - your variable is `db = whatever;` rather than `$db = whatever;` – Martin Jan 30 '15 at 17:03
  • Finally figured it out after several days, I used the PHP error logs to my advantage. I'm newish to PHP and I have no idea they even existed. Thanks for all your help! – Ryan Jan 30 '15 at 17:05