Share this question

Welcome to Teachnovice Q&A, where you can ask questions and receive answers from other members of the community.

This is a collaboratively edited question and answer site for computer enthusiasts and power users. It's 100% free, no registration required.

php html Login Page not working

0 like 0 dislike
795 views

I'm having trouble creating a login page. Set up a MySql database and table. The table has 3 fields; id, username & password. Every time I try to log in, I receive the message that the login failed. After hours of research, I still cannot pinpoint where this goes wrong.

Here's the code for the "login.htm" page:

<html>
<body>

<form action="login.php" method="post">
<p>Username
<input type="text" name="username" id="username" />
</p>
<p>Password
<input type="password" name="password" id="password" />
</p>
<p>
<input type="submit" />
</p>

</form>

</body>

</html>

Here's the code for the "login.php" page:

<?php
session_start();

include('admin/misc2.inc');

$cxn = mysqli_connect($host,$user,$passwd,$dbname) 
or die ("couldn't connect to server" . mysqli_error());

$myusername=$_POST['username'];
$mypassword=$_POST['password'];

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysqli_real_escape_string($myusername);
$mypassword = mysqli_real_escape_string($mypassword);

$result = mysqli_query($cxn,"SELECT * FROM `members` WHERE username='$myusername' 
AND password='$mypassword'") or die("cannot execute query");

$num = mysqli_num_rows($result);

if($num > 0)
{

$_SESSION['username'];
header("location:success.php");
}

else
echo "login fail – please click here to <a href=\"login.htm\">login</a>";
?>

Any assistance will be appreciated.

asked Dec 30, 2011 by anonymous  
edited Jul 4, 2012 by sarwana

4 Answers

0 like 0 dislike
 
Best answer

modular approach to this is best; I will add another thing to this:-

When building a site/page, add the following:

error_reporting( E_ALL ); 

and fix every error, warning or notice.

To do that you would need to have this:-

(Checking for notices)

error_reporting(E_ALL ^ E_NOTICE); 

or:-

(for old functions)

error_reporting(E_ALL ^ E_DEPRECATED); 

or:-

(for strict standards)

error_reporting(E_ALL ^ E_STRICT); 

Hope that makes sense.

answered Dec 30, 2011 by anonymous  
selected Nov 6, 2012 by sarwana
0 like 0 dislike

Should it not be:

else {
  echo "login fail – please click here to <a href=\"login.htm\">login</a>";
}

or
else echo "login fail – please click here to login";

answered Dec 30, 2011 by anonymous  
edited Jul 4, 2012 by sarwana
0 like 0 dislike
In the structure of the DB have you got the field 'Password' setup as a strightforward varchar() or text() field or are you using some sort of algorithm (Sha1()/md5()/password()) to encrypt the data? if you are, then the query you build up from the provided data needs to reflect this.

And as jecasc correctly notes; the if statement is missing it's else braces.

What I would recommend at the very least is that you echo the populated sql string to screen, copy it and then paste it into your preferred MySql client to see that the populated string actually gives the results that you expect, else you won't progress very far.

And this point raises a good point for building the query OUTSIDE the mysqli_query() function, as this will does and can, improve debugging attempts for you further down the line.

The only other thing that bothers me about this, is the use of $_SESSION's here and how you're populating it on successful login, you're defining it, but not assigning it anything for later use? Maybe you just want the script to function before you concentrate on the aesthetics, but, if you don't assign it, you could end up with undefined index error's - admittedly, you would need to have error_reporting() on to catch 'em, but I thought as I would note it for you.

Have fun with your project,
answered Dec 30, 2011 by anonymous  
0 like 0 dislike

A small, general extra:

When building a site/page, add the following:

error_reporting( E_ALL ); 

...and fix every error, warning or notice. You cannot imagine how many so-called notices are actually full-blown script errors. Fix them all.

On your public-facing scripts, allow zero errors to show.

On your specific question, far better to store encrypted (md5 is a typical one) and test for password equality to the retrieved value

eg

SELECT `md5` from `db` WHERE `name`='username' 

Then:
1 is name in the DB at all?
2 if yes, test md5(password)=mysql_md5 (in PHP)

Thus, break it down into small steps and, if you have errors, test one step at a time. Try to resist the urge to cram it all into one huge algorithm.

answered Dec 30, 2011 by anonymous  
edited Jul 4, 2012 by sarwana
...