0

I am making a login and sign up page but I can't seem to make the HTML part show up. I think it is something wrong with the PHP code. I am hosting it on a website that has access to PHPMyAdmin and MySQL. I have looked up my problem and can't find any answers. I have checked the syntax but it is still not working. Can somebody please tell me what's wrong?

<?php
session_start();

if(isset($_SESSION['sig']))
{
   #User is already logged in
   echo("<script>window.location='home.php'</script>");
}

if(isset($_REQUEST['submit'])
{
   #Perform login action
   $username=$_REQUEST['UserUsername'];
   $password=$_REQUEST['UserPassword'];

   include ('db_login.php');
   $query=mysql_query("SELECT * FROM Users WHERE UserUsername='".$username."' AND UserPassword='".$password."'");
   $row=mysql_fetch_arr($query);
   if(empty($row))
   {
      #False Info / User doesn't exist
      echo('<script>alert("False login credentials!");</script'));
   }
   else
   {
      #User exists and login is successful
      $_SESSION['sig']="OK";
   }

}

?>
Nisse Engström
  • 4,738
  • 23
  • 27
  • 42
EdgyBoi2414
  • 1
  • 2
  • 2
    FYI, [you shouldn't use `mysql_*` functions in new code](http://stackoverflow.com/questions/12859942/). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [red box](http://php.net/manual/en/function.mysql-connect.php)? Learn about [*prepared statements*](https://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide which one is best for you. – John Conde Jul 16 '17 at 18:08
  • 1. You never print anything to screen when login is successful, which "HTML" part doesn't print, and when? 2. You need to stop using MySQL_ commands, they are outdated and incredibly insecure. – JeffUK Jul 16 '17 at 18:08
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Jul 16 '17 at 18:08
  • you're using mysql_query instead of mysqli or PDO. – Difster Jul 16 '17 at 18:08
  • 1
    You don't know what's wrong because you don't check for errors in your code. Never assume the code is always going to work flawlessly. – John Conde Jul 16 '17 at 18:08
  • You call a function that doesn't exist and have error reporting turned off so PHP cannot tell you about it. But, even if this code worked, you have no output to see anyway. – John Conde Jul 16 '17 at 18:10
  • 1
    **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.4/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text**. – tadman Jul 16 '17 at 19:06

0 Answers0