0

I have two files connect.php and login.php. The login script returns a user_id or password error, but I know they are correct.

The DB connection seems to be working OK and I cannot see any specific fault in the PHP code in login.php.

Can anyone spot the error or point me in the right direction.?

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
    <title>Login</title>

    <!-- Bootstrap -->
    <link href="css/bootstrap.min.css" rel="stylesheet">

    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
      <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
  </head>
  <body>

<div class="container">

      <form class="form-signin">
        <h2 class="form-signin-heading">Please sign in</h2>
        <label for="user_id" class="sr-only">Email address</label>
        <input type="email" id="user_id" class="form-control" placeholder="Email address" required autofocus>
        <label for="inputPassword" class="sr-only">Password</label>
        <input type="password" id="password" class="form-control" placeholder="Password" required>
        <div class="checkbox"> 
        </div>
        <button class="btn btn-lg btn-primary btn-block" type="submit">Log-in</button>
      </form>

    </div> <!-- /container -->

<?php     //start php tag
//include connect.php page for database connection 
Include('connect.php');

//if submit is not blanked i.e. it is clicked.
if (isset($_REQUEST['Submit'])) //here give the name of your button on which you would like    //to perform action.
{
// here check the submitted text box for null value by giving there name.
  if($_REQUEST['user_id']=="" || $_REQUEST['password']=="")
  {
  echo " Field must be filled";
  }
  else
  {
     $sql1= "select * from users where email= '".$_REQUEST['user_id']."' &&  password ='".$_REQUEST['password']."'";
    $result=mysql_query($sql1)
      or exit("Sql Error".mysql_error());
      $num_rows=mysql_num_rows($result);
     if($num_rows>0)
     {
// redirect
header("Location:ncr.php"); 
        }
      else
    {
      echo "username or password incorrect";
    }
  }
} 
?>  
    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
    <!-- Include all compiled plugins (below), or include individual files as needed -->
    <script src="js/bootstrap.min.js"></script>
  </body>
</html>

This is the DB connection, but it looks fine.

<?php
$hostname="localhost";
$username="xxx"; 
$password="xxxx"; 
$database="xxx"; 
$con=mysql_connect($hostname,$username,$password);
if(! $con)
{
die('Connection Failed'.mysql_error());
}
mysql_select_db($database,$con);
?>
gentlebreeze
  • 31
  • 6
  • 3
    Why are you using the deprecated library `mysql_`? Try PDO/MySqli instead – Ed Heal May 05 '16 at 19:09
  • 1
    I don't see a `name` attribute in none of the fields - This what connect the value from the field in the from to `$_REQUEST`, `$_POST`, `$_GET` – Alon Eitan May 05 '16 at 19:09
  • &&? write the word And... – Proxytype May 05 '16 at 19:11
  • You are open to SQL injections with this code. Output your query and see what you are actually querying, is it expected? Does the query work on db? – chris85 May 05 '16 at 19:21
  • 1
    Soooo many things wrong with this code.... You are missing form names, and your query is constructed incorrectly and you are using a depreciated library... – yardie May 05 '16 at 19:22
  • 1
    @andre3wap don't forget how insecure this code is – Alon Eitan May 05 '16 at 19:23
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 05 '16 at 19:49

1 Answers1

1

In your html form must put the name of the input for the php can take the values: 

<input type="email" name="user_id" id="user_id" class="form-control" placeholder="Email address" required autofocus>

<input type="password" name="password" id="password" class="form-control" placeholder="Password" required>

I hope it helps you...

Gustavo Piris
  • 68
  • 12