Username hidden html + php

Question

I have problem with html and php,so I created login page and all functions for login,but I want to put username in header (Like a facebook) and have problem.Username is hidden when I add php code. Everything work perfect,here is my HTML code. pocetna.html

<?php
session_start();
?>
<html>
<head>
    <title>
        weekta RolePlay | Pocetna
    </title>
    <link rel="stylesheet" href="style/styless.css">
    <link href="https://fonts.googleapis.com/css2?family=Jost&display=swap" rel="stylesheet">
</head>
<body>
<header>
            <a class="logo" href="/" style="text-decoration: none;color: #1260a8;font-size: 30px;font-family: 'Jost', sans-serif;"><p>weekta</p></a>
            <nav>
                <ul class="nav__links">
                    <li><a href="#">Services</a></li>
                    <li><a href="#">Projects</a></li>
                    <li><a href="#">About</a></li>
                    <li><a href="#"><span><?php echo( $_SESSION['korisnickoime'] );?></span></a></li>
                </ul>
            </nav>
            <a class="cta" href="index.html">Login</a>

            <p class="menu cta">Menu</p>
        </header>
        <div id="mobile__menu" class="overlay">
            <a class="close">&times;</a>
            <div class="overlay__content">
                <a href="#">Services</a>
                <a href="#">Projects</a>
                <a href="#">About</a>
            </div>
        </div>
        <script type="text/javascript" src="mobile.js"></script>
</body>
</html>

And here is login_process.php

<?php

$mysql_host="localhost";
$mysql_user="root";
$mysql_password="";
$mysql_db="weekta";

$conn = mysqli_connect($mysql_host,$mysql_user,$mysql_password);
mysqli_select_db($conn, 'weekta');
session_start();
if(isset($_POST['korisnickoime'])){

    $username=$_POST['korisnickoime'];
    $password=$_POST['sifrajedan'];

    $sql="SELECT * FROM loginform where korisnickoime='".$username."'AND sifrajedan='".$password."' limit 1";

    $result = mysqli_query($conn,$sql);



    if(mysqli_num_rows($result)==1){
        header("Location:pocetna.html");
        echo " Dobodosao $username";
        exit();
    }
    else{
        echo " Pogresna lozinka.";
        exit();
    }
}
?>

Can someone help me?Thanks.

This code is **wide open** to SQL injection attacks. It should not be used. Your database is likely already compromised by automated scripts. Use parameterized queries to avoid this problem. — Brad, May 31 '20 at 05:08
I updated my Answer and some other changes, I found one query issue in your code please update that too. — Dupinder Singh, May 31 '20 at 05:45
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, May 31 '20 at 13:29

score 1 · Answer 1 · answered May 31 '20 at 05:07

1

You are not setting $_SESSION['username'] after your user was found in the db.

Im not a PHP expert, but you need to do something like $_SESSION['username'] = 'xyz' i think. Besides that your select query is vunerable to sql injection.

https://www.php.net/manual/en/security.database.sql-injection.php

answered May 31 '20 at 05:07

Alex Tbk

2,042
2
20
38

I tried this $_SESSION['username'] = 'xyz' but it show that in 'xyz' – May 31 '20 at 05:13
@reaLFOXY can you please try to investigate that `username` is coming from `database` or not ? – Dupinder Singh May 31 '20 at 05:17
That username is in database,manually created. this code echo $_SESSION['username'] == '$username'; shows me number 1 – May 31 '20 at 05:19
$_SESSION['username'] = $username , not == – Alex Tbk May 31 '20 at 05:20
Notice: Undefined variable: username in :( – May 31 '20 at 05:21
@reaLFOXY if `username` is undefined then please verify your Signup process :( – Dupinder Singh May 31 '20 at 05:27

Dupinder Singh · Accepted Answer · 2020-05-31T05:44:27.143

In your script there is one mistake

$sql="SELECT * FROM loginform where korisnickoime='".$username."'AND sifrajedan='".$password."' limit 1";

in this query near username where korisnickoime='".$username."'AND sifrajedan='".$password."' there is not space between $username and AND.

The end result of this query after appending username and password will be like

SELECT * FROM loginform where korisnickoime='user1'AND sifrajedan='xyz' limit 1";

This Query will break so please add a little space between, replace your Query string with this.

 $sql="SELECT * FROM loginform where korisnickoime='".$username."' AND sifrajedan='".$password."' limit 1";

Your PHP script could be like this

index.php

<form method="post" name="login">
        <label for="username">Username:</label><br>
        <input type="text" name="username"><br>
        <label for="password">Password:</label><br>
        <input type="password" name="password"><br>
        <button type="submit" name="login">Log in</button>
</form>
<?php
    session_start();
    if(isset($_POST['username']) and isset($_POST['password']))
    {
        $username = $_POST['username'];
        $pass = $_POST['password'];
        $query = "SELECT * FROM `person` WHERE name='$username' and pass='$pass'";
        $result = mysql_query($query) or die(mysql_error());
        $count = mysql_num_rows($result);
        if ($count == 1){
            $_SESSION['username'] = $username;
            header('Location: homepage.php');
        }
        else
        {
            $msg = "Wrong credentials";
        }
    }

    if(isset($msg) & !empty($msg)){
        echo $msg;
    }
 ?>

Then in homepage.php

<nav>
<ul class="nav__links">
    <li><a href="#">Services</a></li>
    <li><a href="#">Projects</a></li>
    <li><a href="#">About</a></li>
    <li><a href="#">
    <span>
    <?php
            session_start();
            if(!isset($_SESSION['username']))
            {
                die("You are not logged in!");
            }
            $username = $_SESSION['username'];
            echo "Hai " . $username;
        ?>
    </span></a></li>
</ul>
</nav>

PS: TO make your Query Secure use parameterized query like this

<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}

$stmt = $conn->prepare(SELECT * FROM loginform where korisnickoime='?' AND sifrajedan='?' limit 1");
$stmt->bind_param("ss", $username, $password);

// set parameters and execute
$username = "John";
$password = "Doe";
$result = $stmt->execute();

?>

@AlexTbk yes this is, I am giving the basic idea how to work for now — Dupinder Singh, May 31 '20 at 05:34
I edited the codes but when I log in, it still says that I am not logged in... — , May 31 '20 at 05:46
Then update your DB screenshot and signUp process lets investigate what is going wrong — Dupinder Singh, May 31 '20 at 05:51

Username hidden html + php

2 Answers2