0

What is wrong with my code? It doesn't login, what am I doing wrong? The echo "1;" etc is for checking if my connection for example is good.

<?php
session_start();

if(!isset($_POST['username']))
$_POST['username'] = '';
if(!isset($_POST['password']))
$_POST['password'] = '';

if (isset($_SESSION['ingelogd'])) header("location: index.php");


$dbhost = "localhost";
$dbuser = "pc4u0fi_username";
$dbpass = "pc4upc4u1";
$dbname = "pc4u0fi_pc4u";
$conn = new mysqli($dbhost, $dbuser, $dbpass, $dbname);

if ($conn->connect_error) die("Connection failed");
echo "1;";
if (isset($_POST['submit'])) {
echo "2;";

$uname = $_POST['username'];
$wwoord = $_POST['password'];
echo "3;";


$query = 'SELECT * FROM Klanten WHERE klant_username = "' . $uname . '" && klant_password = "' . $wwoord . '"';
echo "4;";

$result = $conn->query($query);

if ($result->num_rows == 1) {
    $result = $result->fetch_row();
    $_SESSION['ingelogd'] = true;
    echo "5;";

    header("location: index.php");
} else {
    $msg = "Inloggegevens incorrect.";
}
//$conn->close();
}
?>
<script>
function myFunction() {
    alert("U bericht is verzonden. Er word zo spoedig mogelijk contact met u opgenomen.");
}
</script>
<link href="contact.css" rel="stylesheet">

<style type="text/css">
input, td, tr {
    padding-right: 20px;
}
</style>
<form class="form-horizontal" role="form" method="post">
<div class="form-group">
    <label class="control-label col-sm-2" style="text-align: left; width: 120px; margin-left: 10px; margin-top: 10px;" for="username">Username:</label>
    <div class="col-sm-10">
        <input type="text" class="form-control" id="username" name="username" style="width: 250px; margin-top: 10px;" required placeholder="">
    </div>
</div>
<div class="form-group">
    <label class="control-label col-sm-2" for="password" style="text-align: left; width: 120px; margin-left: 10px; margin-top: 10px;">Password:</label>
    <div class="col-sm-10">
        <input type="password" class="form-control" id="password" name="password" style="width: 250px; margin-top: 10px;" required placeholder="">
    </div>
</div>
<div class="form-group">
    <div class="col-sm-offset-2 col-sm-10">
        <button type="submit" style="margin-left: 120px; margin-bottom: 10px;" class="btn btn-default" name="submit">Inloggen</button>
    </div>
</div>
</form>
lucafj2j282j
  • 879
  • 3
  • 13
  • 32
  • is there any errors.enable errors – Madhawa Priyashantha Jun 03 '16 at 07:40
  • Have you got any error??? And what your code echo 1,2,3 ???? – Saty Jun 03 '16 at 07:41
  • what you got after you run? – Rizaldi Maulidia Jun 03 '16 at 07:45
  • Try it: $result->num_rows > 0 – A. Jain Jun 03 '16 at 07:50
  • No errors. num_rows > 0 doesn't do it – lucafj2j282j Jun 03 '16 at 08:01
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 03 '16 at 13:18
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 03 '16 at 13:18

2 Answers2

0

From php.net:

Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP.

By echoing the numbers, you might break the redirection to index.php.

xjmdoo
  • 1,658
  • 9
  • 15
0

The first step you'll have to take is to put an exit; after every header() function you have. If you do not do this, the code that comes after the header() function will still continue to execute.

A second good practice is to only execute the query if a form is actually submitted. You can do this using:

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    // Validate login here
}
Peter
  • 8,776
  • 6
  • 62
  • 95