not sure why my login won't work

Question

I have created a login so that a user can log into a site, I am using php and phphmyadmin to create the login, i used the same code for another project I am doing and it worked fine but it won't work now and doesn't seem to like line 15, what am I doing wrong.

Here is my code

<?php
    session_start();
?>

<header id="page_header">

<?php

  include "connect.php";

  if (isset($_POST['username']) and isset($_POST['password'])){

$username = $_POST['username'];

$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username='$username' and password='$password'";

$result = mysqli_query($con, $query) or die(mysqli_error());

$count = mysqli_num_rows($result);

if ($count == 1){

$_SESSION['username'] = $username;

}else {

echo "Invalid Login Credentials.";

}


} 

?>




<div id = "menu">
            <nav>
          <ul>
            <li><img src="../img/buzz_party.png"></li>
              <li><a href="index.php">Home</a></li> &nbsp; &nbsp; &nbsp;
              <li><a href="aboutus.php">About Us</a></li> &nbsp; &nbsp; &nbsp;
              <li><a href="advertising.php">Supplies</a></li> &nbsp; &nbsp; &nbsp;
              <li><a href="items.php">Party Supplies</a></li> &nbsp; &nbsp; &nbsp;
              <li><a href="contact.php">Contact Us</a></li> &nbsp; &nbsp; &nbsp;

            </nav>

        </div>

                  <div id = "login_details">

            <?php      

       if (isset($_SESSION['username'])){

$username = $_SESSION['username'];

echo "Hello " . $username . " ";


}

echo "<a href='logout.php'>Logout</a>";

?>

     </div>

    <div id="login">

<form action="index.php" method="post">

          <label for="username" class="uname" data-icon="u" >Username:</label>
          <input id="username" name="username" required="required" type="text" size="10" placeholder="Username"/>


          <label for="password" class="youpasswd" data-icon="p">Password:</label>
          <input id="password" name="password" required="required" type="password" size="10" placeholder="Password" /> 

          <input type="submit" value="Login" /> 

        </form>

      </div>

</header>

[15-Apr-2015 17:06:22 Europe/Berlin] PHP Warning: mysqli_error() expects exactly 1 parameter, 0 given in /Applications/MAMP/htdocs/group 19/php/header.php on line 15 — Rebekah, Apr 15 '15 at 15:24
Use `mysqli_error($con)` with the connection variable parameter. — Funk Forty Niner, Apr 15 '15 at 15:24
Ok, well you decided to choose another. They obviously took my comment and made it an answer. — Funk Forty Niner, Apr 15 '15 at 15:33
sorry about that, would anyone have any idea how to make the login form disappear after the user has logged in? — Rebekah, Apr 15 '15 at 15:44
It's ok. It was resolved, but have added some extra information to my answer for you and future visitors, in regards to security in DB and password storage. — Funk Forty Niner, Apr 15 '15 at 15:46
I've made an edit to my answer under **Edit**. You can check that out to see if that is the result you're looking for, in regards to making the form disappear. Read it carefully; there is information about "headers" in there. — Funk Forty Niner, Apr 15 '15 at 16:02

score 4 · Answer 1 · edited May 23 '17 at 12:32

mysqli_error() requires that the connection be passed as a parameter

mysqli_error($con)

http://php.net/manual/en/mysqli.error.php

Procedural style

string mysqli_error ( mysqli $link )

Regarding passwords

I noticed that you may be storing passwords in plain text.

This is not recommended and is an unsafe method.

Use one of the following:

CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Other links:

PBKDF2 For PHP

Sidenote: Your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Edit:

"would anyone have any idea how to make the login form disappear after the user has logged in?"

Bonus answer:

You can redirect to another page with header().

However, you already have output using <header id="page_header"> therefore you will need to place that below your present PHP codes. Otherwise, it will throw a warning of headers already sent. Using ob_start(); sometimes works, but not always.

Where you presently have:

if ($count == 1){

$_SESSION['username'] = $username;

}

Add a header and an exit:

if ($count == 1){

$_SESSION['username'] = $username;

    header("Location: http://www.example.com");
    exit;

}

Or, you can simply use exit; if you don't want to redirect.

@ʰᵈˑ You win some, you lose some, *what can you do*. Thanks though. At least it will be made available for future visitors to the question. An extra in Stack's archive, *cheers* — Funk Forty Niner, Apr 15 '15 at 15:45
@Rebekah You wrote: *"so confused right now"* - And I replied "confused about what?". — Funk Forty Niner, Apr 15 '15 at 19:08

score 1 · Accepted Answer · answered Apr 15 '15 at 15:26

1

You need to have the connection parameter passed into mysqli_error(), like so:

$result = mysqli_query($con, $query) or die(mysqli_error($con));

Also, you're not sanitizing foreign data from $_POST. You're vulnerable to SQL injection.

answered Apr 15 '15 at 15:26

David Wyly

1,671
1
11
19

2

Perhaps give some tips on how to secure against SQLi, like [this answer](http://stackoverflow.com/a/29654448/3000179) – ʰᵈˑ Apr 15 '15 at 15:42

score 0 · Answer 3 · answered Apr 15 '15 at 15:27

0

You need to give a parameter to mysqli_error():

mysqli_error(connection);

See here: http://www.w3schools.com/php/func_mysqli_error.asp

answered Apr 15 '15 at 15:27

flo

11
1
7

not sure why my login won't work

3 Answers3