How to fix PHP login?

Question

I have an index.php and a login function that gets opened when clicking on a submit button. Now whenever the button is being clicked, the user won't be logged in, as nothing is happening, and I can't figure out the issue.

Small snippet of index.php:

Username:<br> <img src="/images/figure.png" alt="Icon" height="42" width="42>">
    <input type="text" name="username"><br>
    Passwort:<br> <img src="/images/Key_lock.png" alt="Icon" height="42" width="42>">
    <input type="password" name="passwort"><br>
    <input type="submit" login="loginfunc()" value="Login">  
</form>

and my loginfunc

<?php
session_start();
include 'globals.php';
if(empty($_POST["username"]) || empty($_POST["passwort"]))  
{  
    echo "Bitte tragen Sie ihr Passwort und Benutzername ein";
}  
else {  
       $query = "SELECT * FROM benutzer WHERE username = '$username'";  
       $result = mysqli_query($con, $query);  
       if(mysqli_num_rows($result) > 0)  
       {  
            while($row = mysqli_fetch_array($result))  
            {  
                 if(password_verify($passwort, $row["password"]))  
                 {      
                      session_start();
                      $_SESSION['username'] = $username;
                      header("Location:dashboard.php");     
                 }  
                 else  
                 {  
                    echo "Kevin";
                 }  
            }  
       }  
       else  
       {  

       }
}
?>

you have mentioned you form code and your php code. But you haven't mentioned your javascript code `loginfunc()` ?? Its missing. Add you jquery or javascript code to your question to know whats the exact issue. — Vamsi Krishna, Jun 18 '18 at 11:52
You are wide open to [**SQL injection**](https://www.owasp.org/index.php/SQL_Injection). You need to use prepared statements, rather than concatenating variables into your query. See [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1). — elixenide, Jun 18 '18 at 11:52
Please mention your full code. You haven't mentioned your form opening tag. Is it really missing or just missing here in the question ?? — Vamsi Krishna, Jun 18 '18 at 11:54
no it isnt, as it is included in top of the file with include_once("functions/loginfunc.php"); — Dorian NY, Jun 18 '18 at 12:44
I've voted to close this question as based on a typographical error or problem that cannot be reproduced. As I've explained below, your problem is that you are using meaningless HTML to try to trigger a PHP function from the client-side, which is impossible. — elixenide, Jun 18 '18 at 14:07

elixenide · Answer 1 · 2018-06-18T14:06:24.147

You’re never sending data to your PHP code (which, by the way, is not a function, based on what you’ve posted here). The login=loginfunc() that you have on your submit button isn’t valid HTML and doesn’t do anything. Besides, PHP is a server-side language. You can’t invoke it on the client like this.

You need to set an action parameter on your form tag, as in something like this:

<form method="POST" action="functions/loginfunc.php">

Also, you are wide open to SQL injection. You need to use prepared statements, rather than concatenating variables into your query. See How can I prevent SQL injection in PHP?.

You have other problems, like calling session_start() twice and, from the looks of it, some undefined variables ($username and $passwort, for starters).

All of the above is why you should not “roll your own” login/authentication logic; it’s too easy to get it wrong. Use an existing library if at all possible.

Edit based on your (now-deleted) "answer": You seem to have a few basic misunderstandings about how HTML and PHP work. The line

include_once("functions/loginfunc.php");

does not define a function; it just causes whatever is in loginfunc.php to execute immediately. In any case, you can't call a PHP function directly from HTML. And, again, the login=loginfunc() attribute on your button doesn't do—or tell the browser to do—anything. The browser does not go looking for something called login somewhere in your code; it just ignores that.

My best advice to you is this:

Do not attempt to create your own login functionality. It's extremely difficult to do it securely and correctly. And, frankly, this question makes clear that you do not know nearly enough about HTML, PHP, or the other issues involved to do it. Please understand: I'm not trying to insult you; I'm trying to help you avoid getting hacked horribly.
Go read and work through some basic HTML and PHP tutorials before going any further. You cannot do anything meaningful in PHP (or most other languages) if you do not know, for example, how to define a function.

Actually, no. The code you have posted doesn’t contain any functions. It also doesn’t do anything. — elixenide, Jun 18 '18 at 12:48
it does I did not want to define a function my friend using the include once, but just include the FILE that has my FUNCTION. — Dorian NY, Jun 19 '18 at 06:36
I don't know how else to explain it to you. The code you posted *is not* a function, nor does it define one. There are no functions anywhere in your question or in your now-deleted answer. And, as I have tried to explain, the code you are using - trying to invoke your code on the client-side as if it were a PHP function - does not, cannot, and will not do anything. You obviously already know it doesn't work, so I don't understand why you're not willing to listen to help. I have no more help to offer. Please abandon the effort to create a login system; you are going to get yourself into a mess. — elixenide, Jun 19 '18 at 06:42

How to fix PHP login?

1 Answers1