0

I'm trying my best to make a simple login system just as something to do in my time, as someone extremely new to PHP and MySQL I am still very confused, after hours of tutorials and things that should supposedly help I am still have a lot of difficulty.

You can find the test at beastfox.com/index.php (the index.html is just a dummy for now for the final design)

Username: Username Password: Password (First letter Capital)

I know you are all probably really advanced but I am still just trying to learn something new,

I'll put my PHP Code in here and I hope you can try and see if I have done something wrong? I'll try and explain what happens, when you enter the Username and Password it is meant to direct to a test page (myaccount.php) and it should keep a session. but it still fails to do so, My guess is that I have an error in either MySQL or something else, Here is my database also, I wasn't sure if I should cover my details and the name of MySQL account. But I have anyway just in case, If needs be i can provide you with it! enter image description here

I wasnt exactly sure how to do a MySQL Fiddle or a PHP Fiddle, so I'm just going to paste the code. This is all one .php file and it has html code intergrated into it.

<?php
   include("database.php");
   session_start();

   if($_SERVER["REQUEST_METHOD"] == "POST") {

  $username = mysqli_real_escape_string($db,$_POST['username']);
  $password = mysqli_real_escape_string($db,$_POST['password']); 

  $sql = "SELECT id FROM admin WHERE username = '$username' and passcode = '$password'";
  $result = mysqli_query($db,$sql);
  $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
  $active = $row['active'];

  $count = mysqli_num_rows($result);


  if($count == 1) {
     session_register("username");
     $_SESSION['login_user'] = $username;

     header("location: myaccount.php");
  }else {
     $error = "Your Login Name or Password is invalid";
  }
   }

    ?>

And the HTML, Which is in the SAME document

<!DOCTYPE html>
<html>

  <head>

    <title>Login</title>
    <link rel="apple-touch-icon" sizes="57x57" href="favicon/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="favicon/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="favicon/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="favicon/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="favicon/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="favicon/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="favicon/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="favicon/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="favicon/apple-icon-180x180.png">
    <link rel="icon" type="image/png" sizes="192x192"  href="favicon/android-icon-192x192.png">
    <link rel="icon" type="image/png" sizes="32x32" href="favicon/favicon-32x32.png">
    <link rel="icon" type="image/png" sizes="96x96" href="favicon/favicon-96x96.png">
    <link rel="icon" type="image/png" sizes="16x16" href="favicon/favicon-16x16.png">
    <link rel="manifest" href="favicon/manifest.json">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="favicon/ms-icon-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta charset="UTF-8">
    <link rel="stylesheet" type="text/css" href="main.css">
    <link href="https://fonts.googleapis.com/css?family=Raleway:100" rel="stylesheet">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
    <link href="https://fonts.googleapis.com/css?family=Open+Sans:300" rel="stylesheet">
    <link href="https://fonts.googleapis.com/css?family=Roboto+Condensed" rel="stylesheet">
  </head>

  <body>

<div class="LoginBox" style="">
<div class="element_wrapper">
 <a class="Login">Login</a>





    <class>
    <center>
                       <form action = "" method = "post">
                  <input type = "text" name = "username" class = "username" value="Username"/><br /><br />
                  <input type = "password" name = "password" class = "password" value="Password" /><br/><br />
                  <input type = "submit" value = " Submit " class="btn"/><br />
               </form></center>





    </class>
        </div>
            </div>
                </body>
</html>

I hope i didn't make anything too complex, and I'm sorry that Markdown couldn't seem to understand my code, If any indentation or something seems wrong it shouldn't be. But I have got everything sorted out for the files I needed, Eg (database.php to connect to mySQL and session.php and the myaccount.php)

    <?php

session_start();

$server="beastfox.com";
$user="-";
$password="-";
$database= "-_database";

 $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);

    ?>
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 19 '17 at 19:12
  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 19 '17 at 19:12
  • If it isn't maintaining session you haven't put `session_start();` at the top of *every* PHP page. – Jay Blanchard Jun 19 '17 at 19:15
  • Well I already have `session_start();`at the top of all of my PHP Pages and i'll make sure to change my password security. This is only meant for school work so nothing lost! But its good to keep it in mind in the future. I am still confused because when attempting to log in it still redirects back to index.php :/ –  Jun 19 '17 at 19:22
  • 2
    If you don't have time to do it right the first time, when will you find the time to add it later? I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. – Jay Blanchard Jun 19 '17 at 19:24
  • Well im sorry if you hate what I said? I was just asking for some assistance as I wasn't sure to make it so that my code works. I'll add it, but I am still unsure on why my PHP isn't redirecting once logged in. –  Jun 19 '17 at 19:27
  • You're not logging in if you're not getting the redirection. Have you checked `$count` to see what it really contains? – Jay Blanchard Jun 19 '17 at 19:33
  • How would i find out what it really contains? Sorry, I am still slightly confused on how to find this out? Is there a way I am meant to find out about what the $count really contains? –  Jun 19 '17 at 19:35
  • Add `echo $count;` right after you set it. This might result in some other errors, but we need to know what it contains. – Jay Blanchard Jun 19 '17 at 19:36
  • Is what you mean? change `$count = mysqli_num_rows($result);` to `echo $count = mysqli_num_rows($result);` ? Sorry if that isn't what you meant, I wish I knew more but everyones got to start from somewhere! –  Jun 19 '17 at 19:39
  • No - keep your line and add mine right after it. Then run the code again. – Jay Blanchard Jun 19 '17 at 19:40
  • When going to the webpage now, it doesn't seem to respond. So you are right, it does seem to return an error. (https://beastfox.com/index.php) –  Jun 19 '17 at 19:43
  • Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Jun 19 '17 at 19:44
  • 1
    if you look at your screenshot your table has the columns `username` and `passWORD`, your query has `username` and `passCODE`, this is where your error is. – cmorrissey Jun 19 '17 at 19:44
  • Add the code from database.php to your question too. We don't need the passwords and such, just want to check it. – Jay Blanchard Jun 19 '17 at 19:45
  • Good catch @cmorrissey - I never saw it. – Jay Blanchard Jun 19 '17 at 19:45
  • I added the database.php to my question, But i'd like to point out that the passcode isn't actually any PHP in such and more of a line of text just to help out? It doesn't actually effect the code for PHP.. At least I dont think, @cmorrissey. –  Jun 19 '17 at 19:51
  • Yes it does, in your query you have `passcode = '$password'";` and it should be `password = '$password'";` – Jay Blanchard Jun 19 '17 at 19:52
  • I have edited the code but there is no difference still. –  Jun 19 '17 at 19:54
  • You're not connecting to your database `$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);` Should be `$db = mysqli_connect($server, $user, $password, $database);` You specified CONSTANTS that you have not set. – Jay Blanchard Jun 19 '17 at 19:56
  • Do you know how to check the error logs of your server? – Jay Blanchard Jun 19 '17 at 19:57
  • Yup! I do, You check the file that is shown via your FTP correct? And alright i'll change the database.php right now, –  Jun 19 '17 at 19:58
  • And you do not need `session_start()` in the file where you include database.php. – Jay Blanchard Jun 19 '17 at 20:04
  • According to the error message I am being denied access? Would you like to see the error file. I can post it in a pastebin? –  Jun 19 '17 at 20:18
  • If you're being denied access to the database then your permissions have not been setup correctly. – Jay Blanchard Jun 19 '17 at 20:27
  • Is there a certain way to change them? –  Jun 19 '17 at 20:28
  • https://stackoverflow.com/questions/8484722/access-denied-for-user-rootlocalhost-while-attempting-to-grant-privileges – Jay Blanchard Jun 19 '17 at 20:30
  • So is this what i am meant to add? `' GRANT ALL PRIVILEGES ON *.* TO 'host' WITH GRANT OPTION | | GRANT PROXY ON ''@'' TO 'host' WITH GRANT OPTION '` Sorry if im just being stupid, im just very uncertain. –  Jun 19 '17 at 20:39
  • @JayBlanchard I have decided to add a pastebin for my error message because I still am uncertain on what to do exactly, https://pastebin.com/rw3zrX0E –  Jun 19 '17 at 20:56
  • You need to create user that you will allow to run queries. Sounds like you need some basic MySQL management stuff. https://www.digitalocean.com/community/tutorials/how-to-create-a-new-user-and-grant-permissions-in-mysql – Jay Blanchard Jun 19 '17 at 21:01

0 Answers0