My php/MySQLI script keeps telling me the correct details are incorrect

Question

I've been working since yesterday to try and establish a simple login form for my MySQL database, I have a table set up as tbl_Users which contains all the necessary columns that would be required for a user. To test it out I populated the table with one row to test out my form. But no matter how many times I keep trying. I keep getting the echo message telling me it's invalid. I know it's not invalid because I copy and pasted the details from the table into the input boxes, so it must be something I'm doing wrong with the code. But when I look and compare the code with the guide that helped me, everything matches properly. I'm really stuck here!

ConnectorCode.php

The connector code file works fine, as I've tested it individually. I have it included in the main index file so that I wouldn't have to write it out on each page.

<?php

$conn = mysqli_connect("localhost", "b4014107", "Win1", "b4014107_db2")or 
die(mysqli_connect_error())

echo "Connection Successful<br>";

$db= mysqli_select_db("b4014107_db2", $conn) or die("Could not select _db2");

echo "Connection to _db1 database succsessful<br>";

?>

Index.php

As you can see I'm using the updated Mysqli commands within both my connector code and my index code. I've established a connection to the database and am calling the data from tbl_Users. Everything works format wise, the page displays the boxes and forms properly. But what fails to work is the actual login. I keep getting the fail echo I set up as else echo.

<?php
echo mysqli_error($conn)
error_reporting(E_ALL & ~E_NOTICE);
session_start();

if($_POST['submit']) {
include_once("ConnectorCode.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);

$sql = "SELECT User_id, User_Name, Password FROM tbl_Users WHERE User_Name ='$username' AND User_level ='1' LIMIT 1";
$query = mysqli_query($conn, $sql);

if ($query) {

    $row = mysqli_fetch_row($query);
    $userid = $row[0];
    $dbUsername = $row[1];
    $dbPassword = $row[2];
}


if($username == $dbUsername && $password == $dbPassword) {
    $_SESSION['User_Name'] = $username;
    $_SESSION['User_id'] =$userid;
    header('Location: user.php');
} else {
        echo "Incorrect Username or Passsword";
        }
}
?>


 <!DOCTYPE HTML>
 <html>
 <head>
 <title> Login Page </title>
 </head>
 <body>

 <h2> Login Page </h2>

 <form method ="post" action="index.php">
 <input type="text" placeholder="Username" name ="username" /> <br />
 <input type="password" placeholder="Password" name="password" /> <br />
 <input type="submit" name="submit" value ="Login" />
 </form>

 </body>
 </html>

I'm assuming maybe it's something to the connection to the columns in the database. I was unsure if maybe I'm labelling some fields incorrect in some manner.

CREATE TABLE `tbl_Users` (  `User_id` int(11) NOT NULL auto_increment,  
`First_Name` varchar(32) NOT NULL,  
`Last_Name` varchar(32) NOT NULL,  
`Email` varchar(100) NOT NULL, 
 `User_Name` varchar(100) NOT NULL,  
`Password` varchar(100) NOT NULL,  
`User_level` int(11) NOT NULL,  
`Tickets_id` int(11) NOT NULL,  
PRIMARY KEY  (`User_id`),  KEY `Tickets_id` (`Tickets_id`),  
CONSTRAINT `tbl_Users_ibfk_1` FOREIGN KEY (`Tickets_id`) REFERENCES `tbl_Tickets` (`Tickets_id`)) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1

RTM => http://php.net/manual/en/mysqli.select-db.php and http://php.net/manual/en/mysqli.error.php would have told you about it. — Funk Forty Niner, Mar 31 '16 at 13:55
My *Spidey sense* is telling me, someone's formulating something ;-) — Funk Forty Niner, Mar 31 '16 at 13:58
How would I output the error relay message? It doesn't seem to be showing up with all the other echo messages. — Henry Green, Mar 31 '16 at 13:59
All procedural `mysqli_` functions that requires a connection-parameter (which are most, aside from those getting a MySQLi result), *always* has it as the first parameter (as opposed to the old `mysql_` which had it as the last). If you read the documentation as suggested above, it would've become clear. `echo mysqli_error($conn);` helps, too. — Qirel, Mar 31 '16 at 14:00
just switch these around `("b4014107_db2", $conn)` @JackRogers again, as per the manual http://php.net/manual/en/mysqli.select-db.php — Funk Forty Niner, Mar 31 '16 at 14:01
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — Jay Blanchard, Mar 31 '16 at 14:02
Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Mar 31 '16 at 14:02
I assumed the strip tags would prevent the injection attacks. What else do I need to apply? — Henry Green, Mar 31 '16 at 14:03
@Jack You can also specify the database when creating the connection (in `mysqli_`): `mysqli_connect("localhost", "b4014107", "Win1", "b4014107_db2")` -- and read [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for that — Qirel, Mar 31 '16 at 14:04
So something like this? `code` $conn = mysqli_connect("localhost", "b4014107", "Windows1", "b4014107_db2" )or die("Apologies. The MySQL sever is unavailable at this current time."); `code` @Qirel — Henry Green, Mar 31 '16 at 14:07
Yes, the 4th parameter in `mysqli_connect` specifies the database. http://php.net/manual/en/function.mysqli-connect.php — Qirel, Mar 31 '16 at 14:09
I've done that and I am still getting the same issue, it won't detect that the login is part of the table and keeps telling me it's incorrect @Qirel — Henry Green, Mar 31 '16 at 14:10
`$conn = mysqli_connect("localhost", "b4014107", "Win1", "b4014107_db2") or die (mysqli_connect_error());` -- let PHP tell you what's wrong, instead of displaying "something is wrong". (note that `mysqli_connect_error()` and `mysqli_error()` are two different functions). — Qirel, Mar 31 '16 at 14:12
I've applied the mysqli_connect_error into the $conn variable, but now whenever i enter a wrong or right username. I'm just getting a blank screen. @Qirel — Henry Green, Mar 31 '16 at 14:15
Update the question with the code you're currently using, might've happened that we misunderstood eachother. And if you get a blank screen, so check your logs for clues. — Qirel, Mar 31 '16 at 14:16
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/107866/discussion-between-jack-rogers-and-qirel). — Henry Green, Mar 31 '16 at 14:19

My php/MySQLI script keeps telling me the correct details are incorrect

0 Answers0