-1

I have no idea why this is allowing free entry for any password and username combination, I've tried all I possibly could but to no avail. The slightest help would be appreciated. The php here should output directly into the form below it.

<?php
    if (isset($_POST['name'])) {

        $username = $_POST['name'];
        $apassword = $_POST['password'];

        $host = "127.0.0.1";
        $user = "root";
        $password = "";
        $database = "test_site";
        $table = "admin";

        $link = mysqli_connect($host, $user, $password, $database);

        if (!$link) {
            echo "Error: Unable to connect to MySQL.";
            exit;
        }

        $query = "SELECT first_name, last_name, password FROM $table WHERE username='$username' AND password='$apassword'";
        $result = mysqli_query($link, $query);
        if (mysqli_num_rows($result)==1) {
            $row = mysqli_fetch_assoc($result);
            $first_name = $row['first_name'];
            $last_name = $row['last_name'];
        }
        mysqli_close($link);

        echo "Hello, " . $_POST['name'] . ".";
    } else {
         $error = "Your Login Name or Password is invalid";
?>


<form name="login" method="POST" action="index.php">
    <table align="center">
        <tr>
            <td><font size="2">Username:</font></td>
            <td><input size="11" type="username" name="name" placeholder="Username" required></td>
        </tr>
        <tr>
            <td><font size="2">Password:</font></td>
            <td><input size="11" type="password" name="password" placeholder="Password" required></td>
        </tr>
        <tr>
            <td><input type="submit" value="Login"></td>
        </tr>
    </table>
</form>

<?php
    }
?>
rSasazaki
  • 9
  • I'm not sure what you mean with "Free entry" you're not really doing anything, If the user has entered a name then he is shown "Hello ..." part, could you elaborate a little? – Epodax Feb 25 '16 at 11:26

2 Answers2

1

You are missing the check it self. You just query and after that show the Hello message, so this would be a very simple approach to guide you: 

if(!$result){
  echo "Incorrect username or password";
}
else{
  echo "Hello, " . $_POST['name'] . ".";
}

The variable $result, as long as there is no result will return false, so basically it will print 'Hello' if it finds those credentials you passed in the query and 'Incorrect username or password' if it doesn't.

I also recommend you to check this out: How can I prevent SQL-injection in PHP? and The MySQLi Extension Function Summary as well for more complex handlings.

I hope this helped you :)

Community
  • 1
  • 1
Asur
  • 379
  • 3
  • 20
1

If you are seeing the success message for all invalid password, it must be the problem with the logic you have written. Please see below code :

    if (mysqli_num_rows($result)==1){
    //assume only one record found matching the username password pair
    $row = mysqli_fetch_assoc($result);
    $first_name = $row['first_name'];
    $last_name = $row['last_name'];
    echo "Hello, " . $_POST['name'] . ".";
}else{
    $error = "Your Login Name or Password is invalid";
}
mysqli_close($link);
Kiran Krishnan
  • 81
  • 4