0

I want to create login page. First, I get username and password from login.html and send them to login.php to check its available or not. But it always give errors and I cannot solve that

Login.html

        <form action="login.php" method="post">
           <div class="containerLogin">
            <label><b>Username</b></label>
            <input type="text" placeholder="Enter Username"name="username" required>

            <label><b>Password</b></label>
            <input type="password" placeholder="Enter Password" name="password" required>
          </div>

          <div class="containerLogin" style="background-color:#f1f1f1">
            <input type="submit" name="submit" value="submit" class="btn btn-primary">
            <span class="password">Forgot <a href="#">password?</a></span>
          </div>
        </form>

login.php

<?php
  include_once "connection.php";
  if (isset($_POST['submit'])) { 
    session_start();
      if($_POST['username'] && $_POST['password']) {
        $username  =  $_POST['username'];
        $password  =  $_POST['password'];
        $query = mysqli_query("SELECT * FROM studenttable WHERE username='$username' and password='$password'");
        $res = mysqli_query($con, $query);
        $count_user = mysqli_num_rows($res);
        if($count_user==1)
        {
            $row = mysqli_fetch_array($res);
            $_SESSION['username'] = $row['username'];
            $_SESSION['password'] = $row['password'];
            header("location:dashboard.php?success=1");
        }else{
                $error = 'Incorrect Username, Password and Branch.';
            }
      }
}
?>

ERRORS login.php

ozan
  • 33
  • 1
  • 9
  • problem here : `$query = mysqli_query("SELECT * FROM studenttable WHERE username='$username' and password='$password'");` Should be : `$query = "SELECT * FROM studenttable WHERE username='$username' and password='$password'";` – jirarium Nov 20 '17 at 23:17
  • can you help me have to solve that problem – ozan Nov 20 '17 at 23:18
  • edited my comment. – jirarium Nov 20 '17 at 23:19
  • stupid mistake. thank you but it is not enough. There is one more error. Its Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in C:\login.php on line 25 – ozan Nov 20 '17 at 23:20
  • so **$res** returned false , check your query . – jirarium Nov 20 '17 at 23:22
  • On a side note, I'd recommend you look up prepared statements to prevent vulnerabilities in your code. https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – jhine Nov 20 '17 at 23:23
  • I encrypt my password with using ---$password = password_hash($_POST['password'], PASSWORD_DEFAULT); ----code. But, I cannot decrypt with the same thing. I gives different values. How can I decrypt that? I am new in PHP. It is my first project. I have to work too much, I know. – ozan Nov 20 '17 at 23:28
  • if you hashed password created first time like that , you can use `password_verify ( $password ,$hash );` [password_verify](http://php.net/manual/en/function.password-verify.php) – jirarium Nov 20 '17 at 23:34
  • Yes. I checked https://stackoverflow.com/questions/24024702/how-can-i-decrypt-a-password-hash-in-php and I tried this one ---$truepass = password_verify('$password', PASSWORD_DEFAULT);--- but it turns empty always – ozan Nov 20 '17 at 23:38
  • you didn't use the function the right way , try : `password_verify($password, $row['password']);` – jirarium Nov 20 '17 at 23:43
  • I wrote like that. How can I use $row here. https://notepad.pw/share/9y18jyrud – ozan Nov 20 '17 at 23:50
  • It is too close I think. https://notepad.pw/share/b0wh3xwse – ozan Nov 20 '17 at 23:55

1 Answers1

0

The $query variable should not be a mysqli_query, but a string, since you can't pass a query as a parameter to another query. Replace that line (24) with this:

$query = "SELECT * FROM studenttable WHERE username='$username' and password='$password'";
Jared Peter
  • 195
  • 1
  • 3
  • 11