0

` 

$host="localhost";
$dbuser="root";
$pass="";
$dbname="project";
$conn=mysqli_connect($host,$dbuser,$pass,$dbname);
if(mysqli_connect_errno())
{
    die("Connection Failed! :" . mysqli_connect_error());
}

    if (isset($_POST['submit'])){

 $username=$_POST['username'];
    $password=$_POST['password'];       
    //Checking is user existing in the database or not
        $query = "SELECT * FROM login WHERE username='$username' and password='$password'";
        $result = mysqli_query($conn,$query) or die(mysqli_error($conn));
        $rows = mysqli_num_rows($result);
        if($rows>0){
            $_SESSION['username'] = $username;

            header("Location: nlogin.php"); // Redirect user to index.php
            }else{
                ?>
                <h1 style="color:white">Username/password is incorrect.</h1>
                <?php
                }
    }
?>`

Here I have to make it to connect to Login Page and match password in database but it always go to else block "Incorrect Password"

Abhinav Sharma
  • 1
  • Are your stored passwords hashed? Are you aware of what sql injection is? – castis May 11 '17 at 13:37
  • var_dump($rows) to see what is inside it before the conditions. May be you don't have any user with that username and password or your password is hashed that why your SQL query fails to get any result from db – A l w a y s S u n n y May 11 '17 at 14:28
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 11 '17 at 14:33
  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 11 '17 at 14:33

0 Answers0