0

I have a login form through which a user can login to the website. I am checking whether the username and password match or not. If it matches, the user will be redirected to the Website, but if it doesn't match, an error message will be shown on the upper part of a form.

For this, I am storing the error message in a variable and then printing it to the upper part of the form. But it is not getting the value of the variable. Codes are as follows:

<?php
$link = mysqli_connect("localhost", "root", "", "youtube_project");
 ?>
<!DOCTYPE html>
<html >
  <head>
    <meta charset="UTF-8">
    <title>Login Form</title>
        <link rel="stylesheet" href="css/style.css">
  </head>
  <body>
    <div class="login">
  <div class="login-triangle"></div>

  <h2 class="login-header">Log in</h2>
  <form class="login-container" name="form1" action="" method="post">
    <p style="color:red;"><?php if(isset($msg)){ echo $msg; } //Printing error msg, but couldn't get it ?></p>
    <p><input type="text" placeholder="Username" name="username" required></p>
    <p><input type="password" placeholder="Password" name="pwd" required></p>
    <p><input type="submit" name="submit1" value="Log in"></p>
  </form>
</div>
    <script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<?php
if(isset($_POST['submit1'])){
  $username = mysqli_real_escape_string($link, $_POST['username']);
  $pwd = mysqli_real_escape_string($link, $_POST['pwd']);
  $sql = mysqli_query($link, "SELECT * FROM admin_login WHERE username='$username' && password='$pwd'");
  if(mysqli_num_rows($sql) >= 1){
    ?>
    <script type="text/javascript">
      window.location="demo.php";
    </script>
<?php
  } else {
    $msg = "Invalid Username/Password combination"; //Storing error msg
  }
}
 ?>
  </body>
</html>
Zack Zilic
  • 832
  • 3
  • 12
  • 28
Umar
  • 990
  • 1
  • 8
  • 19
  • 3
    try moving your php to the top of the page. Order of execution is saying, echo $msg then do the query – Matt Aug 10 '17 at 11:23
  • 2
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Aug 10 '17 at 11:24
  • Yes, it does work! It concludes that the flow of code matters!!. – Umar Aug 10 '17 at 11:25
  • 2
    Also look at `header('Location: demo.php'); exit;` instead of using javascript to redirect to another page – RiggsFolly Aug 10 '17 at 11:26
  • Thank you so much Matt, RiggsFolly, That is so informative. – Umar Aug 10 '17 at 11:30

3 Answers3

3

You need to move your PHP code at the top so that the variable $msg gets set or unset.

Below is the formatted updated code:

<?php
$link = mysqli_connect("localhost", "root", "", "youtube_project");
if(isset($_POST['submit1'])){
    $username = mysqli_real_escape_string($link, $_POST['username']);
    $pwd = mysqli_real_escape_string($link, $_POST['pwd']);
    $sql = mysqli_query($link, "SELECT * FROM admin_login WHERE username='$username' AND password='$pwd'");
    if(mysqli_num_rows($sql) >= 1){
?>
<script type="text/javascript">
    window.location="demo.php";
</script>
<?php
    } else {
        $msg = "Invalid Username/Password combination"; //Storing error msg
    }
}
?>
<!DOCTYPE html>
<html >
    <head>
        <meta charset="UTF-8">
        <title>
            Login Form
        </title>
        <link rel="stylesheet" href="css/style.css">
    </head>
    <body>
        <div class="login">
            <div class="login-triangle">
            </div>
            <h2 class="login-header">
                Log in
            </h2>
            <form class="login-container" name="form1" action="" method="post">
                <p style="color:red;">
                    <?php if(isset($msg)){ echo $msg; } //Printing error msg, but couldn't get it ?></p>
                <p>
                    <input type="text" placeholder="Username" name="username" required>
                </p>
                <p>
                    <input type="password" placeholder="Password" name="pwd" required>
                </p>
                <p>
                    <input type="submit" name="submit1" value="Log in">
                </p>
            </form>
        </div>
        <script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
    </body>
</html>

I would recommend you never store plain text passwords! Please use PHP's built-in functions to handle password security.

You are wide open to SQL Injections too and should really use Prepared Statements.

Milan Chheda
  • 8,159
  • 3
  • 20
  • 35
1

You have to initialized the php variable first before display it.so you have to write the php part on the top.

<?php
    $link = mysqli_connect("localhost", "root", "", "youtube_project");
     ?>

    <?php
    if(isset($_POST['submit1'])){
      $username = mysqli_real_escape_string($link, $_POST['username']);
      $pwd = mysqli_real_escape_string($link, $_POST['pwd']);
      $sql = mysqli_query($link, "SELECT * FROM admin_login WHERE username='$username' && password='$pwd'");
      if(mysqli_num_rows($sql) >= 1){
        ?>
        <script type="text/javascript">
          window.location="demo.php";
        </script>
    <?php
      } else {
        $msg = "Invalid Username/Password combination"; //Storing error msg
      }
    }
     ?>
    <!DOCTYPE html>
    <html >
      <head>
        <meta charset="UTF-8">
        <title>Login Form</title>
            <link rel="stylesheet" href="css/style.css">
      </head>
      <body>
        <div class="login">
      <div class="login-triangle"></div>

      <h2 class="login-header">Log in</h2>
      <form class="login-container" name="form1" action="" method="post">
        <p style="color:red;"><?php if(isset($msg)){ echo $msg; } //Printing error msg, but couldn't get it ?></p>
        <p><input type="text" placeholder="Username" name="username" required></p>
        <p><input type="password" placeholder="Password" name="pwd" required></p>
        <p><input type="submit" name="submit1" value="Log in"></p>
      </form>
    </div>
        <script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>

      </body>
    </html>
Ajay Krishna Dutta
  • 722
  • 2
  • 7
  • 21
1

I hope it can help

<?php
$link = mysqli_connect("localhost", "root", "", "youtube_project");

if(isset($_POST['submit1'])){
  $username = mysqli_real_escape_string($link, $_POST['username']);
  $pwd = mysqli_real_escape_string($link, $_POST['pwd']);
  $sql = mysqli_query($link, "SELECT * FROM admin_login WHERE username='$username' && password='$pwd'");
  if(mysqli_num_rows($sql) >= 1){
    ?>
    <script type="text/javascript">
      window.location="demo.php";
    </script>
<?php
  } else {
    $msg = "Invalid Username/Password combination"; //Storing error msg
  }
}
 ?>

<!DOCTYPE html>
<html >
  <head>
    <meta charset="UTF-8">
    <title>Login Form</title>
        <link rel="stylesheet" href="css/style.css">
  </head>
  <body>
    <div class="login">
  <div class="login-triangle"></div>

  <h2 class="login-header">Log in</h2>
  <form class="login-container" name="form1" action="" method="post">
    <p style="color:red;"><?php if(isset($msg)){ echo $msg; } //Printing error msg, but couldn't get it ?></p>
    <p><input type="text" placeholder="Username" name="username" required></p>
    <p><input type="password" placeholder="Password" name="pwd" required></p>
    <p><input type="submit" name="submit1" value="Log in"></p>
  </form>
</div>
    <script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
  </body>
</html>
hanish singla
  • 782
  • 8
  • 21