website username and password is not working

Question

I am trying to have a website with login page but every time I enter the email and password i get "wrong credentials". followings are my codes, first my html code:

<form class="form-login" action = "check.php">
                    <div class="errorHandler alert alert-danger no-display">
                        <i class="fa fa-remove-sign"></i> You have some form errors. Please check below.
                    </div>
                    <fieldset>
                        <div class="form-group">
                            <span class="input-icon">
                                <input type="text" class="form-control" name="user" placeholder="Username">
                                <i class="fa fa-user"></i> </span>
                        </div>
                        <div class="form-group form-actions">
                            <span class="input-icon">
                                <input type="password" class="form-control password" name="pass" placeholder="Password">
                                <i class="fa fa-lock"></i>
                                <a class="forgot" href="#">
                                    I forgot my password
                                </a> </span>
                        </div>
                        <div class="form-actions">
                            <label for="remember" class="checkbox-inline">
                                <input type="checkbox" class="grey remember" id="remember" name="remember">
                                Keep me signed in
                            </label>
                            <button  type="submit" class="btn btn-green pull-right"  name="btn-login"> Login <i class="fa fa-arrow-circle-right"></i></button>

then my check.php code:

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form 
$myusername=$_POST['user']; 
$mypassword=$_POST['pass']; 
echo "$myusername";
$sql="SELECT * FROM $tbl_name WHERE email='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
    // Register $myusername, $mypassword and redirect to file 
    session_register("myusername");
    session_register("mypassword"); 
    header("location:.index2.html");
}
else {
    echo "Wrong credentials!";
}

and here is my first row of table: admins table

and I exactly enter Korivand.neshat@gmail.com as a username and 123456789 as a password in the related fields.

You never define $tbl_name. You also never check for errors. — John Conde, Jan 12 '16 at 13:47
i added the table name: $tbl_name="admins"; // Table name @JohnConde — user3696174, Jan 12 '16 at 13:49
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Jan 12 '16 at 13:51
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jan 12 '16 at 13:51
Say no to plain text passwords! Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Jan 12 '16 at 13:51
@JayBlanchard i will secure my code, for now, can you just help me solve this problem? — user3696174, Jan 12 '16 at 14:02
Add error reporting to the top of your file(s) right after your opening PHP tag for example ` — Funk Forty Niner, Jan 12 '16 at 14:06
You shouldn't be solving this code as there are just too many issues. You should rewrite using all of information provided and then solve any errors you run into *there*. — Jay Blanchard, Jan 12 '16 at 14:10
@JayBlanchard I am doing exactly what you are saying if you give me a minute! It is my first time programming php I am learining! — user3696174, Jan 12 '16 at 14:14
and you really should be using functions of "this century". If this is intended to be a live site, I strongly suggest you stop what you're doing and start using `mysqli_` or PDO with a prepared statement as well as a safe password hashing function such as `password_hash()`. — Funk Forty Niner, Jan 12 '16 at 14:16

David · Accepted Answer · 2016-01-12T14:06:14.327

2

and I exactly enter Korivand.neshat@gmail.com as a username

Since the record in the table is "korivand.neshat@gmail.com", if your database is using case-sensitive comparisons then you've entered an incorrect username.

It's also possible that there exists more than 1 record with that username? In which case your comparison would fail:

if($count==1)

Also, a couple of very important notes:

Your code is wide open to SQL injection. Use prepared statements and query parameters instead of executing user input as code. Start by reading this.
You are storing user passwords as plain text. This is grossly irresponsible to your users. Passwords should be obscured by a 1-way hash and should never be retrievable by anybody. Not even by you as the system owner.

Edit: As pointed out by @Fred in a comment below. Your form is using the GET method:

<form class="form-login" action = "check.php">

But you're checking for POST values:

$myusername=$_POST['user'];

Either change one or the other.

edited Jan 12 '16 at 14:06

answered Jan 12 '16 at 13:51

David

208,112
36
198
279

i entered everything in lower case and changed the if statement to if($count) but still the same result. about your notes, I will secure it.thnks – user3696174 Jan 12 '16 at 14:01
1

`
` and POST arrays. You know what form defaults to when a method isn't specified ;-)
– Funk Forty Niner Jan 12 '16 at 14:04
@user3696174: Do you define any of the other variables you're using? Such as `$tbl_name`? What is the actual query being executed when this runs? – David Jan 12 '16 at 14:04
1

and OP is using the deprecated `session_register()` function. Could be a lot of things at play and the OP really needs to check for errors ;-) – Funk Forty Niner Jan 12 '16 at 14:05
@Fred-ii- i didn't catch what you said, can you explain more? – user3696174 Jan 12 '16 at 14:10
@user3696174 [Read my comment to you earlier...](http://stackoverflow.com/questions/34745373/website-username-and-password-is-not-working#comment57237057_34745373) – Funk Forty Niner Jan 12 '16 at 14:14
Notice: Undefined index: user in /home/hevak/public_html/cp/check.php on line 14 Notice: Undefined index: pass in /home/hevak/public_html/cp/check.php on line 15 Wrong credentials! – user3696174 Jan 12 '16 at 14:16
@Fred-ii- it is what i am getting, please check above comment – user3696174 Jan 12 '16 at 14:16
1

@user3696174 Look `
` and you have `$_POST` that's why and exactly as David outlined in his answer. I'm leaning more towards using POST because it's safer than GET, so just do `
` and that error should go away. But as I stated above under your question in another comment, you shouldn't be using that code and you will spend more time trying to fix it, rather than finding yourself something more secure, such as this answer by ircmaxell http://stackoverflow.com/a/29778421/1415724
– Funk Forty Niner Jan 12 '16 at 14:19

website username and password is not working

1 Answers1