-2
<?php
require 'core.inc.php';
require 'connect.inc.php';
//print($current_file);
if(isset($_POST['username']) && isset($_POST['password'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $password_hash = md5($password);

    if(!empty($username) && !empty($password)){

        $query = "SELECT `id` FROM `users` WHERE `username`='$username' AND `password`='$password_hash'";

        if($query_run = mysqli_query($conn,$query)){
            $query_num_rows = mysqli_num_rows($query_run);

            if($query_num_rows == 0){
                print("Invalid username or password");
            }
            else if($query_num_rows == 1){
                print("Found!");
            }
        }
    }
    else{
        print("Enter username/password");
    }
}

?>

<!DOCTYPE html>
<html>
<head>
    <title></title>
</head>
<body>
     <form action="<?php $current_file ?>" method="POST">
        Username
        <input type="text" name="username">
        Password
        <input type="text" name="password">
        <input type="submit" value="Log in">
    </form>
</body>
</html>

Hello i would like to ask this since i'm new to PHP. It seems that i can't have my expect and desired output of "FOUND IT" since i'm entering the right username and password in the fields. Also even if i enter it correctly its giving me "Invalid uesrname and password." output. Thanks!

Christian.
  • 61
  • 1
  • 1
  • 4
  • `$current_file` is? Too many unknows here. – Funk Forty Niner Nov 05 '15 at 14:58
  • no way of knowing if that hash was properly stored and the column long enough to hold the hash, which you shouldn't be using I might add. – Funk Forty Niner Nov 05 '15 at 14:59
  • Please don't expect a magical answer to appear. Read the comments already posted. Anyway, you've been given answers; take it up with them. I'm done here. – Funk Forty Niner Nov 05 '15 at 15:18
  • You really shouldn't use MD5 password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Nov 05 '15 at 15:22
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Nov 05 '15 at 15:23

2 Answers2

0

Maybe your problem is that your password field in the database is not a hash. Try to send the $password variable in the query instead of $password_hash, if it works, that is the problem.

Daniel Rivers
  • 21
  • 7
  • [It's not hard to earn enough rep to make comments.](http://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead) – Jay Blanchard Nov 05 '15 at 15:24
0

The simplest way to debug this is to print out the sql query.

$query = "SELECT `id` FROM `users` WHERE `username`='$username' AND `password`='$password_hash'";
var_dump($query);

You can then look at the sql you are generating, even run it on the database yourself. Could be the user doesn't exist or the users data is different.

Before you go to much further with that you are doing please learn about prepared statements. You shouldn't be putting user input directly into mysql queries.

Here is some light reading on sql injection. http://php.net/manual/en/security.database.sql-injection.php

Computer User
  • 546
  • 9
  • 15