-1

I'm a beginner at php and I have created a simple login system with php and mysqli for my website however my code wont validate such as "username doesnt exist" and im not sure how to make the account for the user so that it is individual. My code is in 3 files and all linked. connection.php contains session_star(); and connection to the database Homepage.php - what the form appears on

<?php
 include 'login.php';
 ?>
 <section>
 <img id="image1" src="homepic.jpg" alt="logo" /> 
 </section>

loginform.php

<link rel="stylesheet" href="homecss.css"/>
<div id="form">
<h2>Login</h2>
<form method="post" action="loginSubmit.php">
User Name: <br/>
<input type="name" name="username" type="text" /><br />
 Password: <br/>
 <input id="password" name="password" type="password" /><br />
 <input type="submit" name="logsubmit" value="Login" />
 </form></div>

login.php 

<link rel="stylesheet" href="homecss.css"/>

<?php
include './connection.php';
?>
<div id="form">
<?php

if(!isset($_SESSION['authenticatedusername'])){
 include './loginform.php'; 

if (!empty($_POST['username'])) {
echo "Username is required";
 }
 if (!empty($_POST['password'])) {
echo "Password is required";

 }
 }
 else{  
echo 'welcome   '. $_SESSION['authenticatedusername'];
echo '<br/><a href ="logout.php"> logout </a>';
echo '<br/><a href ="account.php"> My account </a>';

//check to see if error message is to be displayed
if (isset($_SESSION['message'])){
echo $_SESSION['message']="login failed";
}

?>
</div>

loginSubmit.php

<?php
include "connection.php";
if(isset($_POST['logsubmit'])){
$user=$_POST['username'];
$pass=$_POST['password'];
$query= "SELECT * FROM users WHERE user_name='$user' AND user_password='$pass'";
$result=mysqli_query($connection, $query);

if ($row = mysqli_num_rows($result) >0){
$_SESSION['authenticatedusername']=$user;
header ("Location: homepage.php");

} else{
echo $_SESSION['message'];
header("Location: homepage.php");
}
}
?>
b1234
  • 43
  • 6
  • Your code is vulnerable to SQL injections; you should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). – Gumbo Dec 15 '14 at 14:03

2 Answers2

0

You are taking wrong condition on empty()

if (!empty($_POST['username'])) { // If username is filled, you are showing error.
echo "Username is required";
 }
 if (!empty($_POST['password'])) { // If password is filled, you are showing error.
echo "Password is required";

 }

Should be

if (empty($_POST['username'])) { // If username is not filled, show error.
echo "Username is required";
 }
 if (empty($_POST['password'])) { // If password is not filled, show error.
echo "Password is required";
 }
Pupil
  • 23,834
  • 6
  • 44
  • 66
  • i changed it however as soon as i refresh the page and dont press anything 'username required' and password required' are just on the page as though they are echoing out, how do i change this? – b1234 Dec 15 '14 at 12:17
  • Add this condition before the above: if(isset($_POST['logsubmit'])){ – Pupil Dec 15 '14 at 12:19
  • I tried that however it still does the same and no longer logs in? – b1234 Dec 15 '14 at 12:32
  • Can you post your table structure and the username / password you're using ? I would definitely escape the data `$user` and `$pass` for your mysql query [http://php.net/manual/en/mysqli.real-escape-string.php] and also turn on error reporting and print our the [http://php.net/manual/en/mysqli.error.php] after your `mysqli_query`. I guess you will have an error in the query somehow. – John Dec 15 '14 at 13:17
0

This code shall find the error in your MySQL query, as it points there. The error may be caused by unescaped user and pass variables or typo in field name... whatever, it will show you.

<?php
include "connection.php";
if(isset($_POST['logsubmit'])){
$user=mysqli_real_escape_string($connection, $_POST['username']);
$pass=mysqli_real_escape_string($connection, $_POST['password']);
$query= "SELECT * FROM users WHERE user_name='$user' AND user_password='$pass'";


if (!$result=mysqli_query($connection, $query)) {
echo "<div>$query</div>"; //this outputs your query as sent to MySQL
echo "<div>".mysqli_error($connection)."</div>"; // this will output the mysql error
}


if ($row = mysqli_num_rows($result) >0){
$_SESSION['authenticatedusername']=$user;
header ("Location: homepage.php");

} else{
echo $_SESSION['message'];
// header("Location: homepage.php"); //disabled to see the error
}
}
?>
<a href="homepage.php"> Homepage </a>
John
  • 123
  • 1
  • 10