0

ok, so i have a little issue here with php. I know there are alot of similar questions, but ones i found did not help. I dont want to use anything more like javascript or something. I got mysql set up, there are 3 columns ID username and password. 

   <?php 

$username = $_POST['user'];
$password = $_POST['pass'];
$username = stripcslashes($username);
$password = stripcslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
mysql_connect("localhost","root","");
mysql_select_db("login");
$result = mysql_query("select * from users where username='$username' and password= '$password'") 
or die("failed to query DB".mysql_error());
$row = mysql_fetch_array($result);
if ($row['username'] == $username && $row['password'] == $password) {header(suc.html);
die();}else{header("Location: fail.html");die();}
?>

This code, it works but when i dont fill in any details and press submit too, it gets me to the suc.html which shows successful login. Now i want to make the following: I'll make ID's similar to each individual html's names, then the php will go match the ID number with the file name in the directory, and show the page for the respective user. like lets say user1. Login userlol password 123 ID user1 file user1.html then what code to use that it goes and matches the ID user1 with the .html name, then redirects the user to their own custom page. Is there a way? Kinda getting started with php ,so cut some slack please :) p.s i know these codes are older php codes, but anything works for me personally.

Univ Ersal
  • 31
  • 3
  • FYI, [you shouldn't use `mysql_*` functions](http://stackoverflow.com/questions/12859942/). They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). See the [red box](http://php.net/manual/en/function.mysql-connect.php)? Learn about [*prepared statements*](https://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide which one is best for you. – John Conde May 03 '20 at 17:42
  • **Never store plain text passwords!** Please use [PHP's built-in functions](//php.net/manual/en/function.password-hash.php) to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() [compatibility pack](https://github.com/ircmaxell/password_compat) (and you should consider upgrading to a supported version of PHP). Make sure you [don't escape passwords](//stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. – John Conde May 03 '20 at 17:42
  • Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. – John Conde May 03 '20 at 17:42

1 Answers1

1

You are getting that sort of behaviour because when a username and password is not submitted, their respective values evaluates to null and your SQL query is successful but returns 0 rows thereby making your $row['username'] and $row['password'] to be null. In general, your $row['username'],$row['password'],$username,$password would all be equal to null which fulfills all the requirements to redirect to "suc.html"

To solve this problem, simply check if mysql_num_rows($result)==1 because usually, a successful login would return just one row due to unique usernames.

But I would not advice you to continue with deprecated mysql and SQL Injection susceptible logic. Please allow me to rewrite your logic as follows:

<?php 
$username = $_POST['user'];
$password = $_POST['pass'];
//    You don't have to escape or sanitize user inputs if you use Prepared Statement plus sanitizing user password is highly discouraged.
//    $username = stripcslashes($username);
//    $password = stripcslashes($password);
//    $username = mysql_real_escape_string($username);
//    $password = mysql_real_escape_string($password);

// Initiate a PDO connection and set your error mode to exception.
$conn=new pdo("mysql:host=localhost;dbname=login;","root","",array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));

try{
    // Prepare your query and replace all values with ? which would be provided as an array in execute(); I added limit 1 to make sure we are getting a maximum of one row from our query.
    $result_stmt = $conn->prepare("select * from `users` where (`username`=? and `password`=?) limit 1");
    $result_stmt->execute([$username,$password]);
    // fatch() would return a single row just like mysql_fetch_array or mysql_fetch_assoc while fetchAll() would return all rows. 
    $result=$result_stmt->fetch();
    if(count($result)==1){
        // There is no need to check this again because your query to the database already did.
        // if ($row['username'] == $username && $row['password'] == $password) 
        // Redirect users to the same page but identify each user through session (recommended)
        header("location:suc.html");
    }else{
        header("location:fail.html");
    }
}catch(Exception $e){
    echo $e->getMessage();
}
?>
Nelson Rakson
  • 558
  • 3
  • 14