-4

I have been trying to get my login script to work but I haven't found a way to do it, it does actually log in but it doesn't check the database if the user has been registered or not, could any of you help me out? THis is the script I have been trying to get to work but haven't been able to yet.

Excuse me for the dutch words in the code.

Oh and don't worry about the md5, I'm just practicing not actually putting this site online :)

     <?php
       if (isset($_POST['username'])){
        // backslashes verwijderen
        $username = stripslashes($_POST['username']);
        $password = stripslashes($_POST['password']);


        $username = mysqli_real_escape_string($conn, $username);
        $password = mysqli_real_escape_string($conn, $password);


        $password = md5($password);


        $query = "SELECT * FROM `users` WHERE `username` = '$username' AND `password` = '$password'";
        $result = mysqli_query($conn,$query) or die(mysql_error());
        $rows = mysqli_num_rows($result);
        $data = mysqli_fetch_assoc($result);


        if($rows==1){
            // sessie aanmaken met de gebruikersnaam en doorsturen naar homepage
            $_SESSION['username'] = $username;
            $_SESSION['user_id'] = $data['id'];
            header("Location: /");
        }else{

            echo "
                <div class='form'>
                    <h3>Gebruikersnaam en/of wachtwoord is incorrect</h3>
                    <br/>Klik <a href='inloggen.php'>hier</a> om opnieuw te 
          proberen.
                </div>
            ";
        }
    } else {
?>

<div class="form">
    <h1>Log In</h1>
    <form action="bloemen.html" method="post" name="login"> 
        <input type="text" name="username" placeholder="Username" required />
        <input type="password" name="password" placeholder="Password" required />
        <input name="submit" type="submit" value="Login" />
    </form>
    <p>Nog niet geregistreerd? <a href='registreren.php'>Registeren</a></p>
    <p>Bent u een medewerker? <a href='medewerker-login.php'> Inloggen</a></p>
</div>

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Tom Kik
  • 1
  • 2
  • 2
    Your Code is vulnerable to sql injection – Clijsters May 30 '17 at 14:20
  • 3
    Why practice with MD5() at all? Because this isn't practice at all. Don't even *play* with the wrong way to do things. Just do it right the first time. – John Conde May 30 '17 at 14:21
  • 1
    You're also mixing mysql and mysqli. – John Conde May 30 '17 at 14:21
  • 1
    if it log you in, it has to hit the db. what is the problem? – Eduard Void May 30 '17 at 14:22
  • *"I'm just practicing not actually putting this site online"* - Right, and as John said. So is this homework or you're just doing this for kicks? – Funk Forty Niner May 30 '17 at 14:23
  • Homework. The problem is that it doesn't check if the username / password exist in the database @edu, it just "logs" me in either way – Tom Kik May 30 '17 at 14:23
  • it does. if it does not exists in the DB then $rows != 1 and you are not logged in – Eduard Void May 30 '17 at 14:24
  • @TomKik: But you said it *does* log you in. Which means it's setting `$_SESSION['user_id'] = $data['id']`, right? Isn't that an indication that it's working? – David May 30 '17 at 14:24
  • 2
    @TomKik Are you sure you are not still logged in from previous attempts? Did you destroy the session before trying again? – Ivar May 30 '17 at 14:25
  • 1
    `password` = '$password'" - this will not be evaluated by PHP as $password is enclosed in single quotes. – Marc Steven Plotz May 30 '17 at 14:25
  • @Clijsters where is the vulnerability? ;) – Eduard Void May 30 '17 at 14:25
  • 2
    @MarcStevenPlotz Ummm.. that's how MySQL works, this isn't "PHP"; totally different animal. Edit: and who upvoted that comment and why? – Funk Forty Niner May 30 '17 at 14:26
  • @MarcStevenPlotz really? try it ;) that's how string in PHP are working. nothing to do with SQL – Eduard Void May 30 '17 at 14:26
  • I think I missworded it @David whenever I click the login button it forwards me, I am unsure if it hits the database or not. – Tom Kik May 30 '17 at 14:26
  • Are you posting to another page?, i.e. `bloemen.html`?, If you are posting to a HTML page, then the PHP script won't be executed. – JustBaron May 30 '17 at 14:27
  • I also don't see the session being started nor an exit after header. – Funk Forty Niner May 30 '17 at 14:27
  • @MarcStevenPlotz the whole query is inside double quotes, the single quotes belong to the string here – Kaddath May 30 '17 at 14:28
  • @EduardVoid: The vulnerability is the use of user input as SQL code. Even if it's "sanitized", user-modifiable values should never be executed as code. Escaping the values isn't perfect: https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string – David May 30 '17 at 14:28
  • Yes it redirects to bloemen.html @JustBaron – Tom Kik May 30 '17 at 14:28
  • My bad, you're right. Noob moment there for me :) – Marc Steven Plotz May 30 '17 at 14:28
  • check that the password was saved with md5 and that the password column is long enough to hold that hash; otherwise I can't see this failing and using `>0` instead of `==1` – Funk Forty Niner May 30 '17 at 14:28
  • @EduardVoid: Look at [this](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) ? But yeah, I posted a little prematurey – Clijsters May 30 '17 at 14:29
  • @TomKik: If it's redirecting you then `$rows == 1` is `true`. So I'm still not seeing any actual indication of a problem description here. – David May 30 '17 at 14:29
  • If you are posting to a HTML page, then the PHP script won't be executed – JustBaron May 30 '17 at 14:29
  • @Clijsters oh my god. I have to refactor a lot of code :D thx for knowledge – Eduard Void May 30 '17 at 14:32
  • So would I just have to make a .php page that it redirects to @JustBaron? – Tom Kik May 30 '17 at 14:34
  • as I understood the real_escape_string method is 100% working only when the charset is setted. I got really scared of this, but I am safe as I always SET NAMES utf8 just after creating a connection to DB. And maybe also Tom Kik has the charset definition in script where $conn is defined. Am I right? – Eduard Void May 30 '17 at 14:43
  • @TomKik either post to the same page as your form, e.g. Form.php; or to another that has the PHP script on, e.g. Login.php. HTML does nothing server-side. Fundamentals are, post to the page where the PHP-script is. – JustBaron May 30 '17 at 15:03

1 Answers1

0

Your form is posting to an HTML file called "bloemen.html".

<form action="bloemen.html" method="post" name="login">

If your page "bloemen.html" is simple HTML, then it won't process any PHP, server-side script.

You need to post to the page where your PHP-script resides, i.e. either the same PHP page as your form:

<form action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post" name="login">

or to another page:

<form action="Login.php" method="post" name="login">

Once you've posted to the appropriate script, you should then perform your server-side script to determine whether the username/password exists in the database.

Make sure you use current database queries/prepared statements; and encryption/decryption techniques. Google will help you with these.

Hope that helps.

JustBaron
  • 2,319
  • 7
  • 25
  • 37