0

What ever I type in the loginboxes, it accepts it as a successful login I simply cannot resolve this error... Am am very new to php, but hopefully I'll get this to work.

<?php
session_start();
include_once "inc/connect.php";

if($_POST['login']){
    include_once("inc/connect.php");
    $username = strip_tags($_POST['username']);
    $password = strip_tags($_POST['password']);

    $username = stripslashes($username);
    $password = stripslashes($password);

    $username = mysqli_real_escape_string($username);
    $password = mysqli_real_escape_string($password);
    $password = md5($password);

    $sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
    $query = mysqli_query($db, $sql);
    $row = mysqli_fetch_array($query);
    $id = $row['id'];
    $db_password = $row['password']; 

    if($password == $db_password) {
        $_SESSION['username'] = $username;
        $_SESSION['id'] = $id;
        header("Location: board.php");

    } else {
        echo "you didn't enter the corret detail";
    }


}

?>

Chris.A
  • 1
  • 1
    Consult these following links http://php.net/manual/en/mysqli.error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code. – Funk Forty Niner Dec 07 '15 at 20:32
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Dec 07 '15 at 21:24

2 Answers2

1

it helps if you try doing an echo of your variables in your code, this shows you the values of your variables during development. It is not the solution to your problem, but helps you debugging and finding the error.

another thing I see is your SQL code, what is unsafe. Please check this: How can I prevent SQL injection in PHP?

updated your code:

<?php
session_start();
include_once "inc/connect.php";

if($_POST['login']){
    include_once("inc/connect.php");
    $username = strip_tags($_POST['username']);
    $password = strip_tags($_POST['password']);

    echo "username: " . $username . "<br>";
    echo "password: " . $password . "<br>";

    $username = stripslashes($username);
    $password = stripslashes($password);

    echo "username: " . $username . "<br>";
    echo "password: " . $password . "<br>";

    $username = mysqli_real_escape_string($username);
    $password = mysqli_real_escape_string($password);
    $password = md5($password);

    echo "username: " . $username . "<br>";
    echo "password: " . $password . "<br>";

    $sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
    $query = mysqli_query($db, $sql);
    $row = mysqli_fetch_array($query);
    $id = $row['id'];
    $db_password = $row['password']; 

    echo "password1: " . $db_password. "<br>";
    echo "password2: " . $password . "<br>";

    if($password == $db_password) {
        $_SESSION['username'] = $username;
        $_SESSION['id'] = $id;
        header("Location: board.php");

    } else {
        echo "you didn't enter the corret detail";
    }


}
?>

I hope this helps !

Community
  • 1
  • 1
haypro
  • 85
  • 13
0

Firstly, mysqli_real_escape_string() requires a database connection be passed as the first parameter, as outlined in the manual:

Procedural style:

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

Therefore, you need to change:

$username = mysqli_real_escape_string($username);
$password = mysqli_real_escape_string($password);

to:

$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);

Having checked for errors, would have thrown you an error, by checking for them in your query:

$query = mysqli_query($db, $sql) or die(mysqli_error($db));

Reference:

Then, since you haven't posted your HTML, it's unsure of the syntax you're using. Therefore, it should look something like this, and making sure there is a POST method and that the elements bear the correct name attributes.

I.e.:

<form action="handler.php" method="post">
    <input type="text" name="username">
    <input type="password" name="password">
    <input type="submit" name="submit" value="SUBMIT">
</form>

Assuming an successful mysqli_ connection. If you are using anything other than the mysqli_ API to connect with, then you won't be able to query at all.

Different MySQL APIs do not intermix. You must use the same API from connection to querying.

References:

Another thing, your entire code's execution relies on this conditional statement:

if($_POST['login']){...}

If there isn't an element of that same name attribute, then nothing will fire at all.

It's also best to use isset() if(isset($_POST['login'])){...}, which I am under the impression is a submit button.

Sidenote: You're also including include_once "inc/connect.php"; twice; remove one.

Add exit; for your header, otherwise your code may want to continue to execute:

header("Location: board.php");
exit;

You also need to make sure that your database does indeed have the right data for the username/password, that the password was indeed hashed using MD5 (more about your use of MD5, below and under Passwords), that they're of the correct type and their lengths long enough.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Passwords

I noticed that you are using MD5 as a password hashing storage function.

  • This is not recommended.

It is old and no longer considered safe to use in this day and age. A lot of water has gone under the bridge in 30+ years.

Use one of the following:

Other links:

About sessions:

If you're using sessions in other pages, make sure that the session was started in those pages also.

session_start(); must reside inside all pages using sessions.

Reference:

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141