0

I'm using XAMPP for mySQL and Apache web server. The database seems to be connected but when I try to login after creating an entry for username and password on the db. it says fail to login.

<form action ="process.php" method ="POST">
   <p><label>Username:</label>
      <input type="text" id="user" name="username"/>           
   </p>
   <p><label>PassWord</label>
      <input type="password" id="pass" name="password"/>           
   </p>
   <p>
      <input type="submit" id="btn" value="Login"/>
   </p>
</form>

This is my process.php

<body>
  <?php
    $username =$_POST['username'];
   $password =$_POST['password'];
   $connectionString  = mysqli_connect('localhost', 'root','', 'a7');
   $result=mysqli_query($connectionString, "select * from table1 where 
   username = '$username' and password ='$password'") or die("failed to
   find db ".mysql_error());

   if($row['username']==$username && $row['password']==$password){
      echo "success welcome ".$row['username'];
   }

   else{
      echo "failed login";
   }
 ?>

It always comes up:

Notice: Undefined variable: row in C:\xampp\htdocs\assignment7b\process.php on line 30 failed login

Line 30 : if($row['username']==$username && $row['password']==$password)

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
FlyR
  • 13
  • 4
  • You're trying to access an array called `$row` that you have not specifically created. Normally one would loop through each `$result` as `$row` to access the data returned. Also, you're using `mysql_error` when you're mostly using the `mysqli` library; you can't mix and match these libraries. – cteski Apr 24 '17 at 18:51
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Apr 24 '17 at 18:55
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 24 '17 at 18:55
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 24 '17 at 18:55

1 Answers1

0

You are using the $row variable which is not previously declared. Your mysql query results reside in the $result variable. You need to fetch those results into a $row variable first, then iterate over them and check for your username and password as follows:

while($row = mysqli_fetch_assoc($result)) {

  if($row['username'] == $username && $row['password'] == $password){
    echo "success welcome ".$row['username'];
  }else{
    echo "failed login";
  }
}

Basically, this is just your original code wrapped inside the WHILE loop. If you just copy the while loop around that bit of code, everything should work.

coderodour
  • 1,072
  • 8
  • 16
  • Thanks. Wow I didn't the solution was that simple. I tried to fix it for the past 3 hours! – FlyR Apr 24 '17 at 18:56