0

My code below doesn't go to if ( $loginsuccess == 1 ). Everytime i try logging in it directs me to the else{ part of my code. 

<?PHP
    session_start();


    $userid = $_POST['userid'];
    $password = $_POST['password'];
    $loginsuccess = 0;


    $con = mysqli_connect('localhost', 'root');

    if (!$con)
      {
      die('Could not connect: ' . mysqli_error($con));
      }


    mysqli_select_db($con, 'btr');


    $result = mysqli_query("SELECT * FROM user WHERE UserID='" . $userid . "'");

    while($row = mysqli_fetch_array($result))
    {

          if ( $row['password'] == $password ){
              $loginsuccess = 1;
          }
    }


    mysqli_close($con);

?>


<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="http://code.jquery.com/mobile/1.0a3/jquery.mobile-1.0a3.min.css" />
<script src="http://code.jquery.com/jquery-1.5.min.js"></script>
<script src="http://code.jquery.com/mobile/1.0a3/jquery.mobile-1.0a3.min.js"></script>
<script type="text/javascript">
<!--
function redirect_index(){
    window.location = "menu.php"
}
function redirect_login(){
    window.location = "login.php"
}

//-->
</script>
<title>Test</title>
</head>
<body>
<?PHP

 if ( $loginsuccess == 1 ){
  
  
  $_SESSION['userid'] = $userid;
  
?> 

<div data-role="page" class="login">
<script type="text/javascript">
$('.login').live("pagecreate", function() {
 setTimeout("redirect_index();", 3000);  
});
</script>

    <div data-role="header">
      <h1>
        Test
      </h1>
    </div>
    <div data-role="content">
 Login successful. You will be redirected to main page in 3 seconds...<br />
 <a href="menu.php">Back</a>
    </div>
    <div data-role="footer">
      Test
    </div>
  </div>

<?PHP 

 } else{
   
  unset($_SESSION['userid']);
 
?>

<div data-role="page" class="login">
<script type="text/javascript">
$('.login').live("pagecreate", function() {
 setTimeout("redirect_login();", 3000);  
});
</script>
    <div data-role="header">
      <h1>
 Test
      </h1>
    </div>
    <div data-role="content">
 Invalid id or password. You will be redirected to login page in 3 seconds...<br />
 <a href="login.php">Login</a>
    </div>
    <div data-role="footer">
      Test
    </div>
  </div>

<?PHP

 }
 
?>
</body>
</html>

could it be the data pass from the previous page ? 

<?PHP
 session_start(); 
?>

<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="http://code.jquery.com/mobile/1.0a3/jquery.mobile-1.0a3.min.css" />
<script src="http://code.jquery.com/jquery-1.5.min.js"></script>
<script src="http://code.jquery.com/mobile/1.0a3/jquery.mobile-1.0a3.min.js"></script>
<script src="http://maps.google.com/maps/api/js?sensor=true" type="text/javascript"></script>
<script type="text/javascript">
<!--
function redirect_index(){
    window.location = "menu.php"
}
function redirect_login(){
    window.location = "login.php"
}
//-->
</script>
<title>/title>
</head>
<body>

<div data-role="page">
    <div data-role="header">
      <h1>
        Login
      </h1>
    </div>
    <div data-role="content">
      <form method="post" action="login_script.php">

        <div data-role="fieldcontain">
          <label for="userid">
            ID
          </label>
          <input type="text" name="userid" id="userid" value=""/>
        </div>
        <div data-role="fieldcontain">
          <label for="password">
            Password
          </label>

          <input type="password" name="password" id="password" value=""/>
        </div>
        <input type="submit" value="Login" data-role="button" data-inline="true"/>
 </form>
 
    </div>
    <div data-role="footer">

    </div>
  </div>
  
</body>
</html>
zach89
  • 11
  • 2
  • 3
    which else part? – JimL Nov 13 '17 at 21:18
  • and which if part? scnr – zefixlluja Nov 13 '17 at 21:19
  • 1
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Nov 13 '17 at 21:20
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Nov 13 '17 at 21:20
  • Whatever you do, do not go live with this code. – Jay Blanchard Nov 13 '17 at 21:21

2 Answers2

2

The method mysqli_query requires the following parameters:

  • The database connection resource, and
  • The query to run

As chris85 noted, you're missing the database resource parameter.

$result = mysqli_query($con, "SELECT * FROM user WHERE UserID='" . $userid . "'");

while ($row = mysqli_fetch_assoc($result)) {

To reiterate Jay Blanchard's comments regarding your application's security, it appears that you're both storing user passwords in your database in plain text and setting yourself up for SQL injection risks. The script below mitigates those risks by using prepared statements (prepare, bind_param and execute) and the password functions that have been included in PHP since 5.5.

Note that passwords must be inserted into the database after being run through password_hash; after that, you can use password_verify to validate the password.

$successful_login = false;

$query = 'SELECT password FROM user WHERE UserID = ?';
$stmt = mysqli_prepare($con, $query);
$stmt->bind_param('s', $userid);
$stmt->bind_result($row_passwd);

$stmt->execute();

if ($stmt->fetch()) {
    $successful_login = password_verify($password, $row_passwd);
}

if ($successful_login) {
    echo 'Account validated.';
}
chris85
  • 23,846
  • 7
  • 34
  • 51
Chris Forrence
  • 10,042
  • 11
  • 48
  • 64
  • Thanks. but still not working after changed to assoc. – zach89 Nov 13 '17 at 21:41
  • 1
    Question: are you sure it's going into the while-loop? You can `var_dump($row)` inside the while-loop to see what format `$row` is taking. If you don't see anything after adding that, then your query is the next thing to look into. – Chris Forrence Nov 13 '17 at 21:49
  • I thought `mysqli_fetch_array` returned both indices. – chris85 Nov 13 '17 at 21:49
  • @chris85 Whoops, you're right. I was thinking of `mysqli_fetch_row` – Chris Forrence Nov 13 '17 at 21:52
  • Warning: mysqli_query() expects at least 2 parameters, 1 given in C:\xampp\htdocs\login_script.php on line 21 Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, null given in C:\xampp\htdocs\login_script.php on line 23 could it be the settings of database ? – zach89 Nov 13 '17 at 22:19
  • @zach89 The code here isn't using `mysqli_query` (and yours shouldn't either). However the issue there and here would be the same. Parameter 1 must be a connection link when using procedural approach. – chris85 Nov 13 '17 at 22:22
  • 1
    Yes, solved. it's the resource parameter. now that this is working. i will look into modifying it to avoid SQL injection. thanks Chris Forrence and @chris85 – zach89 Nov 13 '17 at 22:36
  • @zach89 Use Chris's code here, I've modified the `prepare` so it can take the connection link as well. This is what you need to do, use placeholders instead of the direct value. – chris85 Nov 13 '17 at 22:53
0

Please check this line of your code:

$result = mysqli_query("SELECT * FROM user WHERE UserID='" . $userid . "'");

I think the SQL query doesn't need the single quote. (like this: SELECT * FROM user WHERE UserID='userid') If you use the single quotes the userid is interpreted as text and not as number. In this case it wouldn't find any entry for a user and in a row no password.

Try this line instead:

$result = mysqli_query("SELECT * FROM user WHERE UserID=" . $userid);
Chris Forrence
  • 10,042
  • 11
  • 48
  • 64
it-person
  • 98
  • 1
  • 11