php login page, cannot log in

Question

i created a log in on my php, but cant seem to find the bug. need help finding it. below is my code:

my login.php

<?php

if(isset($_POST['U_Name']) && isset($_POST['U_Pass'])){

$user = $_POST['U_Name'];
$pass = $_POST['U_Pass'];


if(!empty($user) && !empty($pass)){

        $query = mysql_query("SELECT * FROM accounts WHERE U_Name = '".$user."' AND U_Pass = '".$pass."'") or die (mysql_error());

        $data = mysql_fetch_array($query);

        $test = $data['U_Pass'];

        $query_run = $query;
        $query_num_rows = mysql_num_rows($query_run);

            if($query_num_rows == 0){


                echo "Invalid username/password";

                }

            else if($query_num_rows == 1){


                echo "ok";
                $user_id = mysql_result($query_run,0,'id');
                $user_id = $data['U_ID'];
                $_SESSION['user_id'] = $user_id;
                header("location:".$_SERVER['PHP_SELF']." ");
                }
            {
        }

    }
else{

    echo "You must supply a username and password";

}

}

?>

<div align = "center">
<form action ="<?php echo $current_file; ?>" method = "POST">
Username : <input type = "text" name = "username"> Password : <input type = "password" name = "password">
<input type = "submit" value = "Log in">
</form>
</div>

and connection.php:

<?php


$dbc = mysql_connect('localhost', 'root', '') or die ("Can't connect : ". mysql_error());

mysql_select_db('users', $dbc) or die ("Can't connect : ". mysql_error());


?>

whenever i input my username and password it would only just return to my login page. nothing happened, not even an error message. please help me. thanks

Major case of [**SQL injection**](http://stackoverflow.com/q/60174/) and eventual hacking with [**MD5**](https://en.wikipedia.org/wiki/MD5). — Funk Forty Niner, May 30 '14 at 04:44

Rakesh Sharma · Accepted Answer · 2014-05-30T05:03:20.343

you are getting wrong post fields it must be same as form input fields name try to change

if(isset($_POST['U_Name']) && isset($_POST['U_Pass'])){

$user = $_POST['U_Name'];
$pass = $_POST['U_Pass'];

to

if(isset($_POST['username']) && isset($_POST['password'])){

$user = $_POST['username'];
$pass = $_POST['password'];

cause if you using

<input type = "text" name = "username"> 
<input type = "password" name = "password">

then getting data on post looks like:-

$user = $_POST['username'];
$pass = $_POST['password'];

Note:- mysql_* has been deprecated use mysqli_* or PDO

Also use mysql_real_escape_string() to esacpe input strings

Iłya Bursov · Answer 2 · 2014-05-30T04:57:07.223

1

you set one names for input fields in html:

but reading from

$user = $_POST['U_Name'];

$pass = $_POST['U_Pass'];

you have to use the same names in HTML and during reading from $_POST, and it is not related how your columns named in database

edited May 30 '14 at 04:57

answered May 30 '14 at 04:36

Iłya Bursov

23,342
4
33
57

Please don't use code like that. I edited your answer for a reason. You've already made your point. – Funk Forty Niner May 30 '14 at 04:46
Your source code looks like this `<input type = "text" name = "**username**"> <input type = "password" name = "**password**">` – Funk Forty Niner May 30 '14 at 04:48
My point is that, pre-formatted code that looks like code and shows syntax highlighting, "sells" better. ;-) – Funk Forty Niner May 30 '14 at 05:06
@Fred-ii- my point was to show names, with code formatting this information is lost – Iłya Bursov May 30 '14 at 05:07
I know what you mean, don't get me wrong, emphasis is good. However, if you compare the amount of upvotes that the accepted answer has gotten, you'll see that others may not think the same way you do. I get it, but others won't. I'm just saying. – Funk Forty Niner May 30 '14 at 05:09

php login page, cannot log in

2 Answers2