0

I am trying to create a login form, however it is not working.

here is the code of the login.php file

<?php
session_start();
if(isset($_SESSION['user'])) {
    header('location: index.php');
}
?>
<html>
<head>
    <title>Basic CMS - Login Area</title>
</head>
<body>
<form action="dologin.php" method="post">
    <table>
        <tr>
            <td><span>Username:</span></td>
            <td><input type="text" name="username" /></td>
        </tr>
        <tr>
            <td><span>Password:</span></td>
            <td><input type="password" name="password" /></td>
        </tr>
        <?php
        if (isset($message)) {
        echo "<tr><td colspan='2'>" . $message . "</td></tr>";
        }
        ?>
        <tr>
            <td colspan="2" align='right'><input type="submit" name="login" 
 value="login" /></td>
        </tr>
    </table>
</form>
</body>
</html>

And here is the code of the dologin.php file

<?php
include('includes/functions.php');
session_start();

if (isset($_POST['login'])) {
    if (isset($_POST['username']) {
        if (isset($_POST['password'])) {
            $username = $_POST['username'];
            $query = mysql_query("SELECT * FROM users WHERE Username = '$username'") or die(mysql_error());
            $user = mysql_fetch_array($query);

            if (md5($_POST['password']) == $user['Password'] {
                $message = "Login succesful";
                $_SESSION['user'] = $user['Username'];
                header('location: index.php');
            }
            else {
                $message = "Please check your login details";
                include('login.php');
            }
        }
        else {
            $message =  "Please check your password!";
                include('login.php');
        }
    }
    else {
        $message =  "Please check your username!";
                include('login.php');
    }
}
else {
    $message =  "Please check that you filled out the login form!";
                include('login.php');
}

?>

When I submit the form on login.php it redirects to dologin.php however then nothing shows up there, no error or the form itself. Just a blank page, doesn't matter what I fill in in the form.

Please help is appeciated.

roy-willemse
  • 325
  • 1
  • 4
  • 14
  • 3
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 13 '14 at 13:42
  • And you should consider using [Netbeans](https://netbeans.org/features/php/) or [PhpStorm](http://www.jetbrains.com/phpstorm/) for development, missing brackets could be easily prevented. – skywalker Mar 13 '14 at 13:58

3 Answers3

3

Well you didn't close your brackets properly on this line for a start:

if (isset($_POST['username']) {

In future, please check your error logs before posting questions here. Or better still, put error_reporting(E_ALL); at the top of all your scripts until you're satisfied they're working properly.

And just to reiterate @Quentin's comment — you absolutely should not be using the old mysql commands any more, and putting user-supplied data straight into your database queries is really asking for trouble.

Community
  • 1
  • 1
r3mainer
  • 23,981
  • 3
  • 51
  • 88
1

You need to either close php tags or echo that. Here is one example:

<?php
if (isset($message)) {
    echo '<tr><td colspan="2">'. $message .'</td></tr>';
}
?>
skywalker
  • 826
  • 1
  • 10
  • 18
  • Ok thanks that fixed that issue of it not displaying. However when the form submit's to dologin.php it still doesn't work the way I want it to. – roy-willemse Mar 13 '14 at 13:49
  • 1
    @Gameshadow then it might be a good idea to tell how you want it to work, just saying. – d.abyss Mar 13 '14 at 13:50
1

You also have an error here:

if (md5($_POST['password']) == $user['Password'] {

you are missing a closing bracket. It should be like this:

if (md5($_POST['password']) == $user['Password']) {
Cameron
  • 572
  • 1
  • 3
  • 12
  • Damn you sir are a genious :) thanks alot man it's working now. By the way is this a secure way of logging in? I md5 hashed the password in the database – roy-willemse Mar 13 '14 at 13:54
  • Thank you :). Another important thing to do when doing admin login pages is to make sure you have an SSL connection. Otherwise all the passwords are sent in clear text across the web. – Cameron Mar 13 '14 at 14:21