Login & Register System

Question

I have a little problem with my Login & Register System but I don't know where the problem is. When I press "Login" or "Register", the next page is white. I see only my message: "Try again!". I made 3 PHP files:

1) index.php

<!DOCTYPE html>
<html>
<head>
</head>
<body>
       <form action="logreg.php" metodh="post" accept-charset="utf-8">
    <label>Username:</label><input type="text" name="username" placeholder="Username">
    <br>
    <label>Password:</label><input type="password" name="password" placeholder="Password">
    <br>
    <input type="submit" name="login" value="Login">
    <input type="submit" name="register" value="Register">
       </form>
    
</body>
</html>

I think the problem is in the next file:

2) logreg.php

<?php

$servername = "localhost";
$username = "alex";
$password = "calamar28";
$database = "register/login";

$conn = mysqli_connect($servername, $username, $password, $database );

if(!$conn){
 die("Connection failde:".mysqli_connect_error());
}

if(isset($_POST["login"])) {
 $user = $_POST['username'];
 $pass = $_POST['password'];
  
 $sql = "SELECT * FROM users WHERE username='$user' AND password='$pass';";
  
 $result = mysqli_query($conn, $sql);
 $count = mysqli_num_rows($result);
 
 if ($count == 1)
 {
  header("Location: personal.php");
 }
 else
 {
  echo "Username or password is incorrect!";
 }
 
}
else if(isset($_POST["register"])) {
 $user = $_POST['username'];
 $pass = $_POST['password'];
  
 $sql = "INSERT INTO users (id, username, password) VALUES ('', '$user', '$pass')";
  
 $result = mysqli_query($conn, $sql);
}
else
{
 echo "Try again!";
} 
?>

3) personal.php

<?php

if(isset($_POST["login"])){
 echo "Welcome to you personal area !";
 echo '<a href = "proiect4.php">Your proiect</a>';
}
else
{
 echo "You are not logged in!";
}
?>

login stub for secure hashed passwords [here](http://stackoverflow.com/a/33665819) for mysqli. PDO link at bottom. If you have a password check in the `where` clause you are doing it wrong (ie: cleartext passwords or Timing Attack vulnerability). So, as a litmus test, if the password is referenced *in any way* in the `where` clause, the system is poorly designed. — Drew, Jul 14 '16 at 14:37
Not to mention the whole SQL Injection problem with your setup. See what it did to this guy [here](http://stackoverflow.com/questions/38297105/mysql-real-escape-string-not-working-for-this-specific-example-mysql-real-escap?noredirect=1#comment64014116_38297105) — Drew, Jul 14 '16 at 14:42

score 1 · Accepted Answer · answered Jul 14 '16 at 14:48

You will also need to set some session variables to carry through onto the personal.php page... This will help determine if the user has logged in successfully or not as the original posted data won't be transferred through when you redirect to this page... You'll want your logreg.php to be the following:

<?php
if (!isset($_SESSION)) {session_start();}    

$servername = "localhost";
$username = "alex";
$password = "calamar28";
$database = "register/login";

$conn = mysqli_connect($servername, $username, $password, $database );

if(!$conn){
 die("Connection failde:".mysqli_connect_error());
}

if(isset($_POST["login"])) {
 $user = $_POST['username'];
 $pass = $_POST['password'];
  
 $sql = "SELECT * FROM users WHERE username='$user' AND password='$pass';";
  
 $result = mysqli_query($conn, $sql);
 $count = mysqli_num_rows($result);
 
 if ($count == 1)
 {
                $_SESSION['loggedIn'] = 1;
  header("Location: personal.php");
 }
 else
 {
  echo "Username or password is incorrect!";
 }
 
}
else if(isset($_POST["register"])) {
 $user = $_POST['username'];
 $pass = $_POST['password'];
  
 $sql = "INSERT INTO users (id, username, password) VALUES ('', '$user', '$pass')";
  
 $result = mysqli_query($conn, $sql);
}
else
{
 echo "Try again!";
} 
?>

And then your personal.php page will change to the following:

<?php
if (!isset($_SESSION)) {session_start();} 

if(isset($_SESSION["loggedIn"]) && ($_SESSION["loggedIn"] == 1) ){
 echo "Welcome to you personal area !";
 echo '<a href = "proiect4.php">Your proiect</a>';
}
else
{
 echo "You are not logged in!";
}
?>

Thanks , this help me a lot! – Alex Costy Jul 14 '16 at 16:41 — Alex Costy, Jul 14 '16 at 16:41

score 0 · Answer 2 · answered Jul 14 '16 at 14:31

The Default Method for HTML Forms is GET. And in your HTML Code you wrote metodh instead of method. This would be ignored and then your method would automatically default to GET. Other than this, your PHP Code is fine. Change your HTML Code to look something like below and everything should work fine as expected:

<!DOCTYPE html>
    <html>
        <head>
        </head>
        <body>
           <form action="logreg.php" method="post" accept-charset="utf-8">
               <label>Username:</label><input type="text" name="username" placeholder="Username">
               <br>
               <label>Password:</label><input type="password" name="password" placeholder="Password">
               <br>
               <input type="submit" name="login" value="Login">
               <input type="submit" name="register" value="Register">
       </form>

    </body>
    </html>

Login & Register System

2 Answers2