Login using PHP and MySQL not work

Question

i create a login form using php and mysql. My process is if user is successfully login to there database then it show the username on the page. this is my Database:

id | username |    email    |         password
---------------------------------------------------------------------------------
 1 |    x     |    x@y.c    | 642653d3f6d0a83db108b692de395f9cb8948651
 2 |    y     |    y@y.c    | 642653d3f6d0a83db108b692de395f9cb8948651
 3 |    z     |    z@y.c    | 642653d3f6d0a83db108b692de395f9cb8948651
 4 |    w     |    w@y.c    | 642653d3f6d0a83db108b692de395f9cb8948651

and my code is:

    <?php
define('INCLUDE_CHECK',true);
require 'db.php';
session_name('flLogin');
session_set_cookie_params(2*7*24*60*60);
session_start();
if($_SESSION['id'] && !isset($_COOKIE['flRemember']) && !$_SESSION['rememberMe'])
{
    $_SESSION = array();
    session_destroy();
}
if(isset($_GET['logoff']))
{
    $_SESSION = array();
    session_destroy();
    header("Location: index.php");
    exit;
}
if($_POST['submit']=='Login')
{
    $err = array();
    if(!$_POST['email'] || !$_POST['password'])
        $err[] = 'All the fields must be filled in!';
    if(!count($err))
    {
            $hasspass=md5($_POST['password']);
        $_POST['email'] = mysql_real_escape_string($_POST['email']);
        $_POST['password'] = mysql_real_escape_string($_POST['password']);
        $_POST['rememberMe'] = (int)$_POST['rememberMe'];
        $row = mysql_fetch_assoc(mysql_query("SELECT id,username,email FROM database WHERE email='{$_POST['email']}' AND password='".$hasspass."'"));
        if($row['email'])
        {
            $_SESSION['email']=$row['email'];
            $_SESSION['id'] = $row['id'];
            $_SESSION['username'] = $row['username'];
            $_SESSION['rememberMe'] = $_POST['rememberMe'];
            setcookie('flRemember',$_POST['rememberMe']);
        }
        else $err[]='Wrong email and/or password!';
    }
    if($err)
    $_SESSION['msg']['login-err'] = implode('<br />',$err);
    header("Location: index.php");
    exit;
}
?>
<html>
<head>
</head>
<body>
<div id="toppanel">
    <div id="panel">
        <div class="content clearfix">
            <?php
            if(!$_SESSION['id']):
            ?>
            <div class="left">
                <form class="clearfix" action="" method="post">
                    <?php
                        if($_SESSION['msg']['login-err'])
                        {
                            echo '<div class="err">'.$_SESSION['msg']['login-err'].'</div>';
                            unset($_SESSION['msg']['login-err']);
                        }
                    ?>
                    <input class="field" type="email" name="email" id="email"  placeholder="email" value="" size="23" />
                    <input class="field" type="password" name="password" id="password" placeholder="password" size="23" />
                    <label><input name="rememberMe" id="rememberMe" type="checkbox" checked="checked" value="1" /> &nbsp;Remember me</label>
                    <input type="submit" name="submit" value="Login" class="bt_login" />
                </form>
            </div>

            <?php
            else:
            endif;
            ?>
        </div>
    </div> <!-- /login -->  


            <?php echo $_SESSION['id'] ? $_SESSION['username'] : ' ';?>         
                <a href="#"><?php echo $_SESSION['id']?'<a href="?logoff">Log off</a>':'Log In | Register';?></a>   


</body>
</html>

Its not worked. I don't found the error. Please someone help me.

You are open to [SQL Injection Attack](http://en.wikipedia.org/wiki/SQL_injection) and you are using a Deprecated API. Please find a fix [here](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1). — Shankar Narayana Damodaran, Jun 08 '14 at 05:06
@ShankarDamodaran is it me or he is using mysql_real_escape_string ? or you can't re-write $_POST values — Zerquix18, Jun 08 '14 at 05:07
@Zerquix18, **Both**. You should suggest the OP to switch over to `PDO/MySQLi` Prepared Statements. — Shankar Narayana Damodaran, Jun 08 '14 at 05:11

score 0 · Answer 1 · answered Jun 08 '14 at 05:06

Try with this:

$query = mysql_query("SELECT id,username,email FROM database WHERE email='{$_POST['email']}' AND password='".$hasspass."'");
if( mysql_num_rows($query) > 0 ) {
   $row = mysql_fetch_assoc($query);
   // save your $_SESSION values here...
}else{
   $err[]='Wrong email and/or password!';
}

score 0 · Answer 2 · answered Jul 08 '14 at 04:48

0

if($_POST['submit']=='Login')

change this to

if($_POST['submit'])

Thats it

answered Jul 08 '14 at 04:48

Mohit S

13,723
6
34
69

Login using PHP and MySQL not work

2 Answers2