0

What i want to do is make things appear.

I have created a login system. What i want to do is make a box saying "incorrect password" or something like that when they incorrectly answer the username and password.

The backend is fairly simple. I plan to make it more complex after i get the answer to this. Also, some of the front end is written in Bootstrap. And, i am using MySQL to contain the Username and Password information.

What i need is, a simple PHP variable to be called later in the HTML. I will not be combining the backend and the frontend together.

My Code:

Frontend: 

<html>
    <head>
        <link rel="stylesheet" href="../../css/bootstrap.min.css"/>

        <title>User Login</title>
    </head>

    <body>
        <div class="container">
            <div align="center" class="jumbotron">
                <div class="container">
                    <h1>User Login</h1>
                </div>
            </div>

            <div align="center" class="container">
                <form action="login.php" method="post">
                    <div class="form-group">
                        <input type="text" name="username" id="username" placeholder="Username"/>
                    </div>

                    <div class="form-group">
                        <input type="password" name="password" id="password" placeholder="Password"/>
                    </div>

                    <input value="Submit" type="submit" class="btn btn-primary"/>
                </form>
            </div>
        </div>
    </body>
</html>

Backend:

<?php

    session_start();

    $servername = "**BLOCKED**";
    $username = "**BLOCKED**";
    $password = "**BLOCKED**";
    $dbname = "**BLOCKED**";

    $conn = new mysqli($servername, $username, $password, $dbname);

    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }

    $sql = "SELECT password FROM user WHERE username = '" . $_POST["username"] . "'";
    $result = $conn->query($sql);

    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc())
        {
            if ($row["password"] == $_POST["password"])
            {
                $_SESSION["Authenticated"] = true;

                header("Location: ../");
            }else
            {
                echo "Login failed";
            }

            //Debug

            //echo " password DB: " . $row["password"];
            //echo " password IN: " . $_POST["password"];
        }
    } else {
        echo "User not found!";
    }

    $conn->close();
  • 1
    Put backend code on the top of the frontend code (mayhaps using an `include` or the like), wrapping it in something that checks for a valid `$_POST`, put `exit;` after any redirect `header()`, then instead of `echo "User not found";` assign it to a variable and echo it down the page in the html where you want it. – Rasclatt Sep 23 '15 at 20:25
  • 1
    what is the question and what problems are you having in something *you tried?* – Funk Forty Niner Sep 23 '15 at 20:27
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Sep 23 '15 at 20:28
  • 1
    You really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Sep 23 '15 at 20:28
  • Also....what they ^^ said! – Rasclatt Sep 23 '15 at 20:29
  • Also what he said down there v, which is pretty much what they ^ said. – Rasclatt Sep 23 '15 at 20:33
  • Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – Jay Blanchard Sep 23 '15 at 20:34
  • *-blink-blink-* I don't understand either of your code-speak...all this *Ralph* and *Sam* business. – Rasclatt Sep 23 '15 at 20:38

3 Answers3

0

Ok, what you need to do is put your messages for the user into a variable instead of using echo within your backend script. E.g.:

//login failed
$message = 'Login Failed';

Your frontend script then needs a way of showing this information to the user. Perhaps above the form tag add:

<div style="colour: red"><?php echo $message; ?></div>

This would give you a basic mechanism for feeding back to the user. Looking at your code, I also strongly suggest reading up on SQL injection vulnerabilities and how to use mysqli_real_escape_string to mitigate against the more obvious attacks a user could try against your system.

Steve E.
  • 9,003
  • 6
  • 39
  • 57
  • 1
    Thank you so much. This will definitely help, Also, thanks for the injection help. I didn't know about that. You saved me from a lot of trouble! –  Sep 23 '15 at 20:38
0

Please update your code something like that 

    <?php

    session_start();
    $servername = "**BLOCKED**";
    $username = "**BLOCKED**";
    $password = "**BLOCKED**";
    $dbname = "**BLOCKED**";


    $conn = new mysqli($servername, $username, $password, $dbname);

    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }

    $message ='';
    if(!empty($_POST["username"])  && !empty($_POST["password"])) {


    $sql = "SELECT password FROM user WHERE username = '" . $_POST["username"] . "'";
    $result = $conn->query($sql);

    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc())
        {
            if ($row["password"] == $_POST["password"])
            {
                $_SESSION["Authenticated"] = true;

                header("Location: ../");
            }else
            {
                $message = "Login failed.please enter correct password";
            }

            //Debug

            //echo " password DB: " . $row["password"];
            //echo " password IN: " . $_POST["password"];
        }
        } else {
            $message= "User not found!";
        }
    }else
    {
        $message ="Please enter username/password";
    }

    $conn->close();

?>
<html>
    <head>
        <link rel="stylesheet" href="../../css/bootstrap.min.css"/>

        <title>User Login</title>
    </head>

    <body>
        <div class="container">
            <div align="center" class="jumbotron">
                <div class="container">
                    <h1>User Login</h1>
                </div>
            </div>

            <div align="center" class="container">
            <div style="color: red"><?php echo  $message; ?></div>
                <form action="" method="post">
                    <div class="form-group">
                        <input type="text" name="username" id="username" placeholder="Username"/>
                    </div>

                    <div class="form-group">
                        <input type="password" name="password" id="password" placeholder="Password"/>
                    </div>

                    <input value="Submit" type="submit" class="btn btn-primary"/>
                </form>
            </div>
        </div>
    </body>
</html>
apurav gaur
  • 342
  • 7
  • 18
  • 1. I like to keep my files seperate, so putting the PHP in with the HTML is illogical. 2. It's too much from what i need to achieve. Sorry. –  Sep 23 '15 at 20:50
  • ok then you can put php code in other file and use session for showing errors – apurav gaur Sep 23 '15 at 21:07
0

add/replace:

$result = $conn->query($sql);
$FORM_DATA = ''; // variable with will go to the view (html)

&

//echo "Login failed";
$FORM_DATA = 'Wrong login or password';

&

//echo "User not found!";
$FORM_DATA = 'Wrong login or password';

& View (html) after:

<div align="center" class="jumbotron">
<div class="container">
<h1>User Login</h1>
</div>
</div>

add html with variable

<?php if($FORM_DATA): ?>

<div align="center" class="jumbotron">
<div class="container">
<p style="color: red"><?php echo $FORM_DATA ?></p>
</div>
</div>

<?php endif; ?>
r_a_f
  • 629
  • 7
  • 18