The login still continues even when the username is not valid

Question

I have the following code bellow that will check to see if the user is available in the database before he is granted access to the site however when the user enters any value it will log him in even if he is not registered in the data base. After this code there is JQuery code that i also used to prevent any value from being enterd into that database if the field is empty and it is not the default text field value. however whenever the i login i am still begin prompt to enter a valid text and it continues to the login process rather then stopping me from doing anything before i fill the required field.

<?php 
    if(isset($_SESSION["owner"])){
        header("Location:index.php");
        exit();
    }
?>
<?php
    require_once("includes/connection.php");
    if(isset($_POST["username"]) && isset($_POST["password"])){
        $owner = $_POST["username"];
        $password = $_POST["password"];
        $query = "SELECT id FROM users WHERE username = '$owner' AND password ='$password' LIMIT 1";
        $sql = mysql_query($query,$connection);
        $existCount = mysql_num_rows($sql);
        if($existCount == 1){   
            while($row = mysql_fetch_array($sql)){
                $id = $row["id"];
            }
            $_SESSION["id"] =$id;
            $_SESSION["owner"] = $owner; 
            $_SESSION["password"] =$password;
            echo"welcome back" .$owner."<a href=\"index.php\"> please continue</a>";
            exit();
        }
        else{
            header("Location:login.php");
            exit();
        }
    }
    require_once("includes/header.php");
?>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js?ver=3.2.1'></script>
<script type='text/javascript' src='/bobs/admin/javascript/login.js'></script>
<div class="cBoth"></div>
<div id="sep"></div>

<div class="Calign">
<div id="formcontent">

<div class="flotr">
 <h2>Book faster every time</h2> 
 <br/>
 <p class="widthis">Contrary to popular belief, Lorem Ipsum is not simply random text. It has roots in a piece of classical Latin literature from 45 BC, making it over 2000 years old. Richard McClintock, a Latin professor at Hampden-Sydney College in Virginia, looked up one of the more obscure Latin words, consectetur, from a Lorem Ipsum passage, and going through the cites of the word in classical literature, discovered the undoubtable source.</p>
</div><!-- end of flotr div text --->

<div class="flotr">
<div id="errordisplay"></div>
   <fieldset class="spacing">
   <form method="post" action="admin/formProc/formproc.php" id="frmnewuser">
     <h2>New to Travelnstay ?</h2>
     <p class="widthis">A Travelnstay account is required to continue.</p> 
     <p class="formsp">Username</p>
     <p><label><input type="text" name="username" height="15px"  value="Username "id="username"/><label></p>
     <p class="formsp">Email</p>
     <p><label><input type="text" name="email" value="Your Email" id="email"/><label></p>
     <p class="formsp">Re-email</p>
     <p><label><input type="text" name="reemail" value="Retype your Email"  id="reemail"/><label></p>
     <p class="formsp">Password</p> 
     <p><label><input type="password" name="password" id="password"/><label></p>
     <p class="formsp">Re-password</p>
     <p><label><input type="password" name="repassword" id="repassword" /><label></p>
     <p class="formsp"><label><input type="submit" name="newuser" value="SING ME UP"/><label></p>
   </form>
  </fieldset>
</div><!-- end of flotr div sign up--->




<div class="flotl">
   <fieldset class="spacing">
   <form method="post" action="login.php">
   <h2>Sign in</h2>
   <p class="widthis">You need to log in to access your account.</p> 
   <p class="formsp">Username</p>
   <p><input type="text" name="username"  value="username" id="usernamelog"/></p>
   <p class="formsp">Password</p>
   <p><input type="password" name="password"  /></p>
   <p></p>
   <p class="formsp"><label><input type="submit" name="login" value="Login"/><label></p>   
   </form>
   </fieldset>
</div><!-- end of flotl div login--->


 </div>
</div>


<div class="cBoth"><!-- clear Both--></div> 
<!--<script src="/bobs/admin/javascript/formscript.js"></script>-->
<?php require_once("includes/footer.php"); ?>

The next line is the JQuery code.

$(document).ready(function(){
    //this will waip out anyhting in that text field.    
    $("#usernamelog").click(function(){
        $(this).val("");
        $(this).css("color","#741863");
    });          
    $("input:submit").click(function(){
        var username = $("#usernamelog").val();            
        if((username == "")||(username == "username")){
           alert("Please enter a valid username");
        }          
    });
});

Sidenote: Please Please use prepared statements. This script is vulnerable to sql injections. — Dogbert, Aug 05 '12 at 08:45
Exactly... I could probably read out the entire database and your passwords would be no good at all... Therefore, NEVER store raw passwords. ALWAYS encrypt them using [sha256/512](http://php.net/manual/en/function.hash.php), or most unsecure [md5](http://us3.php.net/manual/en/function.md5.php) and don't forget to salt your passwords. That way if somebody even hacks your databases, they won't be able to start anything with the passwords. — Kiruse, Aug 05 '12 at 08:50
And never store password in `$_SESSION`. Read more here: http://php.net/manual/en/security.php But if this is only to learn, read through it fast, and pick it up before you release anything. — ThoKra, Aug 05 '12 at 08:52
@Derija93: Hashing isn't encryption. I also recommend you use `bcrypt` or `scrypt` in order to make any sort of attacks impossibly slow, as `sha512` is quite fast. — Blender, Aug 05 '12 at 08:52
@Blender Sorry 'bout that. But I guess you know what I mean. — Kiruse, Aug 05 '12 at 08:53
@Derija93: I gotcha, just don't suggest new coders the wrong algorithms. — Blender, Aug 05 '12 at 09:03

score 2 · Answer 1 · answered Aug 05 '12 at 08:48

2

You have to stop the submit process, returning false from the click handler should accomplish this

  $("input:submit").click(function(){
    var username = $("#usernamelog").val();

    if((username == "")||(username == "username")){
       alert("Please enter a valid username");
       return false;
    }

  });

answered Aug 05 '12 at 08:48

Musa

96,336
17
118
137

Do u have any idea regarding PHP why is it still loging in even when the user is not in the database. or is there anything wrong inmy code – Salim Almughairi Aug 05 '12 at 08:51
Also, take a quick read here: https://developer.mozilla.org/en-US/docs/DOM/event.preventDefault – ThoKra Aug 05 '12 at 08:53
For the PHP side. If your `if (isset($_POST["username"]) && isset($_POST["password"])) {` is empty `false`, the entire `if`-statement will be skipped, and the rest of the page will load. So if you don't want the rest of the page to be loaded. Add a `else` with a redirect. – ThoKra Aug 05 '12 at 08:57

score 1 · Answer 2 · edited May 23 '17 at 10:24

1

You need to prevent default behaviour using return false:

if(username == "" || username == "username") {
  alert("Please enter a valid username");
  return false;
}

You can also use preventDefault(), also take a look @event.preventDefault() vs. return false

edited May 23 '17 at 10:24

Community

1
1

answered Aug 05 '12 at 08:47

Zbigniew

27,184
6
59
66

The login still continues even when the username is not valid

2 Answers2