1

when I submit this form i have the same error message all the time . even if i put right or wrong password or don't put password or i write the name of the data base wrong . all of this wrongs i have the same error message : Please enter a username and password . so what is the problem . and i am sure about my fields on data base .

    <?

    session_start();
    $username = $_POST['username'];
    $password = $_POST['password'];


    if ($username && $password)
    {

        $connect = mysql_connect("localhsost","root","adminffpass") or die("Couldent connet to database ");
        mysql_select_db("login") or die("No data base found ");

        $query = mysql_query("SELECT * FROM users WHERE username='$username'");

        $numrows = mysql_num_rows($query);

        if ($numrows !=0)
        {

            while ($row= mysql_fetch_array($query)) 
            {

                $dbusername = $row['username'];
                $dbpassword = $row['password'];

            }

            if ($username == $dbusername && $password==$dbpassword)
            {
                echo "Login successul .<a href='memeberarea.php'>Click to enter member area</a>";
                $_SESSION['username'] = $dbusername;
            }
            else
                echo "incorrect  password  ";

        }
        else
           die ("That user name dosent exist");

   }
   else
     die ("Please enter a username and password");


    ?>
Ofir Baruch
  • 10,323
  • 2
  • 26
  • 39
Foda
  • 58
  • 1
  • 7
  • 3
    _"the same error message"_ which one? – Halcyon Apr 25 '15 at 14:30
  • 1
    Please format your code properly. It's quite difficult to understand the question as it's currently presented. – Mureinik Apr 25 '15 at 14:31
  • Your POST arrays are most likely failing. Getting an Undefined index xxx I'll bet. Plus, if your short tags aren't enabled, change `` to ` – Funk Forty Niner Apr 25 '15 at 14:33
  • Note: Your code is vulnerable to [SQL Injection](http://stackoverflow.com/q/60174/4193263). To fix this critical security hole, use Prepared Statements. – ByteHamster Apr 25 '15 at 14:33
  • 1
    by formatting your code, you would see that your `Please enter a username and password` is in the `else` of `if ($username && $password)`. So you need to find out why that is failing. Are your `$_POST` names correct? Does your form have inputs with name attributes the same as those `$POST`? – Sean Apr 25 '15 at 14:39
  • 2
    `localhsost` <= yo............ typo! – Funk Forty Niner Apr 25 '15 at 14:39
  • if i write wrong name database i don't have any error . why ? – Foda Apr 25 '15 at 14:41
  • because you never enter into the code of the `if ($username && $password)` where the database connection is. You first need to fix that issue, and then you would have had an issue connecting to your database as well. – Sean Apr 25 '15 at 14:44

2 Answers2

3

Even if i put right or wrong password or don't put password or i write the name of the data base wrong . all of this wrongs i have the same error message

Typo: localhsost for one thing. Plus, you may not be able to use mysql_ functions, since they are deprecated and may not be available for you to use.

Plus, your POST arrays may be failing, so make sure your form is a POST method and that your elements bear the name attribute.

I.e.:

<input type="text" name="username">

etc.

if i write wrong name database i don't have any error . why ?"

Because, you're just using or die("Couldent connet to database ") instead of getting the real error mysql_error()

mysql_connect() => http://php.net/manual/en/function.mysql-connect.php

<?php
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
?>

Your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements.

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

Plus, instead of if ($username && $password) you should be using a conditional !empty() for your inputs.

It is also best to use proper and consistent bracing throughout your code.

else{
    echo "incorrect  password  ";
}

etc.

  • Not doing so, could have adverse effects.

Storing a password hash

Using PDO with prepared statements and password_hash():

Just use a library. Seriously. They exist for a reason.

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

You may print some information for yourself, so you could see, what's wrong. Change the following line:

echo "incorrect  password  ";

to something like this:

echo "incorrect  password, u:[$username/$dbusername] p:[$password/$dbpassword]";

If you will see that detailed message, you will know, what's wrong.

EDIT: of course, don't left pwd printing in your final code :)

ern0
  • 3,074
  • 25
  • 40