-2

i have a little problem I have a form in login.php: `

<form action="loginscript.php" method="post">
    <h2>Login form</h2>
    <label for="nick">Podaj imie: </label>
        <input type="text" name="nick" id="nick">
    <br>
    <label for="pass">Podaj haslo: </label>
    <input type="password" name="pass" id="pass">
    <br>
    <p>LOG IN</p>
    <input type="submit" name="submit" id="submit">
</form>

`

and i have a loginscript.php file: `

<?php
    session_start();
        if (isset($_POST["nick"]) && isset($_POST["pass"])) {

        $nick=$_POST["nick"];
        $pass=sha1(sha1($_POST["pass"]));

        $conn = mysqli_connect("localhost", "root", "", "baza2");
        if ($conn) {
            $query = mysqli_query($conn, "SELECT * FROM login_table WHERE nick='$nick' AND pass='$pass'");

            if (mysqli_num_rows($query)) {
                $_SESSION["logged"]=true;
                header("Location: main.php");
            } else {
                header('Location: login.php');
            }
            mysqli_close($conn);
        }  
    }
?>

`

In the loginscript.php in else i have redirect to login.php page. How can i change maybe p tag from 'LOG IN' to 'USERNAME OR PASSWORD IS WRONG'?

I tried using jquery but that doesn't work, maybe I don't know how. Please help :(

Producent Robi
  • 1
  • 4
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Dec 07 '22 at 19:43
  • 4
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Dec 07 '22 at 19:43
  • 4
    There's no point in using `sha1` twice. It's as useless as if you used it once or none at all – Dharman Dec 07 '22 at 19:43

2 Answers2

-1

You can't change anything on the target page from there, but what you can do is provide some information to the target page which that page can use. For example, consider this redirect:

header('Location: login.php?failed=true');

Then in the login.php code you can check for the "failed" query string value and conditionally change the output based on that. For example:

<?php
  $message = isset($_GET['failed']) ? "USERNAME OR PASSWORD IS WRONG" : "LOG IN";
?>
<form action="loginscript.php" method="post">
    <h2>Login form</h2>
    <label for="nick">Podaj imie: </label>
        <input type="text" name="nick" id="nick">
    <br>
    <label for="pass">Podaj haslo: </label>
    <input type="password" name="pass" id="pass">
    <br>
    <p><?= $message ?></p>
    <input type="submit" name="submit" id="submit">
</form>
David
  • 208,112
  • 36
  • 198
  • 279
-1

you could try the code below.

if (mysqli_num_rows($query)) {
    $_SESSION["logged"]=true;
    echo "<script type='text/javascript'> document.location = 'main.php';</script>";
} else {
    echo "<script>alert('Your Password or username is wrong!');</script>";
}
j3ff
  • 1
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 14 '22 at 01:49