0

Good Morning, I am trying to create a login page for my website but whenever I add my php script to the page nothing shows up when I go to the site. When I remove the php I can see the form when I visit the page.

Here is the code:

Any help would be greatly appreciated.

<!doctype html>
<html>
<head>
<title>Login Page</title>
</head>
<body>
<form method="post" action="">
Email<br><input type="email" name="email"><br>
Password<br><input type="password" name="pass"><br>
<input type="submit" value="login" name="login" />
</form>

<?php
$con= mysqli_connect("localhost", "user", "passwordexample"      "exampledatabase");
if(isset($_POST['login'])){
    $email= mysqli_real_escape_string($con, $_POST['email']);
    $password= mysqli_real_escape_string($con, $_POST['pass']);
    $select_user="SELECT * FROM users WHERE Email='$email' AND     Passwords='$password'";
    $run_user=mysqli_query($con, $select_user);
    $check_user= mysqli_num_rows($run_user);
    if($check_user > 0){
        header('location:form.php');
    } else{
        echo "wrong username or password";
    }
  }

?>

dannyboy
  • 1
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Mar 23 '17 at 12:00
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Mar 23 '17 at 12:00
  • Have you checked your error logs? You're making an assumption the query is working. Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Mar 23 '17 at 12:01

0 Answers0