0

My PHP authentication page isn't retrieving the data correctly from the DB, when correct credentials are entered the incorrect echo keeps appearing. Please can someone shed some light on where I'm going wrong? Many thanks.

EDIT: Sorry I forgot to mention that it's supposed to be vulnerable to injection as I wish to use it for a demonstration.

HTML:

<form method="POST" action="connection.php">
User <br><input type="text" name = "user" size="40"><br>
Password <br><input type ="password" name="pass" size="40"><br>
<input id="button" type="submit" name="submit" value="Log-In">

PHP:

<?php

// Grab User submitted information
$user = $_POST["user"];
$pass = $_POST["pass"];

// Connect to the database
$con = mysqli_connect("localhost","my_user","my_pass");
// Make sure we connected successfully
if(! $con)
{
    die('Connection Failed'.mysqli_error());
}

// Select the database to use
mysqli_select_db(login, $con);

$result = mysqli_query("SELECT usernames, password FROM accounts WHERE usernames = $user");

$row = mysqli_fetch_array($result);


if($row[usernames]==$user && $row[password]==$pass)
    echo"You are a validated user.";
else
    echo"Sorry, your credentials are not valid, Please try again.";

?>

DB Details:

database name: login

table name: accounts

rows: usernames
password

Chance212
  • 31
  • 6
  • Learn about prepared Statements to prevent SQL injection – Jens Jun 01 '17 at 14:32
  • Can you do `var_dump($result)` after the query? – Halcyon Jun 01 '17 at 14:33
  • **never** store Passwords as plain text – Jens Jun 01 '17 at 14:33
  • 1
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 01 '17 at 14:34
  • @Chance212 You are using `mysqli_select_db()` wrong, the connection should be the first parameter and the second parameter should be the db name. – Tom Udding Jun 01 '17 at 14:40
  • I remember closing an exact post of this earlier. – Funk Forty Niner Jun 01 '17 at 14:42
  • 1
    *"EDIT: Sorry I forgot to mention that it's supposed to be vulnerable to injection as I wish to use it for a demonstration."* - Oh, it's supposed to be vulnerable, well it's not going to work right now because your syntax is incorrect and has too many errors. You probably were using `mysql_` and thought you'd just add an `i`; well it doesn't work that way with `mysqli_`. You need to read the manual on this http://php.net/manual/en/book.mysqli.php since it's totally different than the `mysql_` api. – Funk Forty Niner Jun 01 '17 at 14:51
  • Thank you everyone. – Chance212 Jun 01 '17 at 14:55
  • If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* – Jay Blanchard Jun 01 '17 at 14:59

1 Answers1

1

You need to add the database to your connection string:

$con = mysqli_connect("localhost","my_user","my_pass", "my_db");

You do not need mysqli_select_db(). (Which you used incorrectly anyhow.)

From the docs:

This function should only be used to change the default database for the connection. You can select the default database with 4th parameter in mysqli_connect().

You need to quote strings when you query (see warnings below):

"... WHERE usernames = '$user'" // added quotes around $user

You need to add quotes to your identifiers:

if($row[usernames]==$user && $row[password]==$pass) // wrong way

With quotes

if($row['usernames']==$user && $row['password']==$pass) // right way

If you do not have quotes around these PHP will assume them to be constants and might not render them properly depending on your server's setup.

WARNING!

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe!

Never store plain text passwords! Please use PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
  • Adding the db name to mysqli_connect() is not necessary since OP uses `mysqli_select_db()` to select the database, but OP has the parameters in the wrong order. – Tom Udding Jun 01 '17 at 14:42
  • That is not correct @TomUdding, please read the docs for `mysqli_select_db()` which I have quoted here. – Jay Blanchard Jun 01 '17 at 14:43
  • I see, I thought it meant that you can use it to select a db in the first place not necessarily to change the one specified in _connect, but OP has still reversed the parameters (if ever needed it won't work). – Tom Udding Jun 01 '17 at 14:47
  • 1
    True dat @TomUdding – Jay Blanchard Jun 01 '17 at 14:47