-1
<?php
session_start();

$db =mysqli_connect("localhost", "root", "","registration" );
if (isset($_POST['login_btn'])){
    $username = mysql_real_escape_string($_POST ['username']);
    $password = mysql_real_escape_string($_POST ['password']);

    $password= md5($password);
    $sql = "SELECT * FROM users WHERE username= '$username' AND password= '$password'";
    $result = mysqli_query($db, $sql);
if(mysqli_num_rows($result) == 1 ){
$_SESSION['message']= "You are now logged in";
$_SESSION['username'] = $username;

header("Location: home.php");
}else{
    $_SESSION['message'] = "Username and  password combination is incorrect";
}

}
?>

<html>
<head>

</head>
<body>
<div class="header"> <h1>login</h1></div>

<?php
if (isset($_SESSION['message'])){
    echo "<div id = 'error_msg>".$_SESSION['message']."</div>";
    unset($_SESSION['message']);
}
?>

<form method="post" name="loginform" action="login.php">
    <table>
        <tr>
            <td> Username:</td>
            <td><input type = "text" name="username" placeholder="Username" class="textInput"  required></td>
        </tr>

        <tr>
            <td> Password:</td>
            <td><input type = "password" placeholder="Password"  name="password" class="textInput" required></td>
        </tr>

        <tr>
            <td></td>
            <td><input type = "submit" name="login_btn" value="Login"></td>
        </tr>
    </table>
</form>
</body>

</html>

Hi guys, this is my login page with PHP. Apart from logging in it allows passwords which are not the same. According to the code its set to check if the two passwords are matching and if they aren't, it displays an error.

This one doesn't display an error even if the two passwords don't match. Why does it allows a user to log in with wrong passwords??

I want it to display an error when passwords don't match and in return doesn't allow logging in because of wrong credentials.

Tieson T.
  • 20,774
  • 6
  • 77
  • 92
Brayo
  • 9
  • 4
  • 2
    please dont store or use passwords like this (https://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords?rq=1) –  Nov 09 '18 at 04:19

1 Answers1

0

You are not using mysql_real_escape_string properly. You should use either mysqli_real_escape_string or use mysql_connect to connect to MySQL.

mysql_real_escape_string's second parameter is assumed automatically if mysql_connect is used, but you are using mysqli_connect instead, that's why it's not finding any connection.

From pph website it states:

The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() had been called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

Reference: http://php.net/manual/en/function.mysql-real-escape-string.php

Try changing

 $username = mysql_real_escape_string($_POST ['username']);
 $password = mysql_real_escape_string($_POST ['password']);

to

$username = mysqli_real_escape_string($db, $_POST ['username']);
$password = mysqli_real_escape_string($db, $_POST ['password']);
M A
  • 351
  • 2
  • 11
  • I have tested the code and `$username = mysql_real_escape_string($_POST ['username']);` returns nothing. – M A Nov 09 '18 at 05:24
  • neither `mysql_real_escape_string` or `mysqli_real_escape_string` should be used any more –  Nov 09 '18 at 05:30
  • I agree, but my answer is relevant to the question. – M A Nov 09 '18 at 05:35
  • you agree to not do what you suggest doing ... ? –  Nov 09 '18 at 05:38
  • Maybe the author of this post is trying to learn php basics? I think they should be given the benefit of doubt. – M A Nov 09 '18 at 05:42
  • 1
    basically don't use a legacy approach, php or any language i constantly evolving and you have to keep up. –  Nov 09 '18 at 05:45
  • `$db =mysqli_connect("localhost", "root", "","registration" ); if (isset($_POST['login_btn'])){ $username = mysqli_real_escape_string($db, $_POST ['username']); $password = mysqli_real_escape_string($db, $_POST ['password']);` *I have done the changes but its still the same. It doesnt displays the error when a wrong password is entered* – Brayo Nov 10 '18 at 13:12
  • @Brayo The reason why it's not showing error is because you have a single quote (') missing when outputting session message. `echo "
    ";` there should be a closing single quote after `error_msg`. Let me know if it fixes your issue.
     – M A Nov 11 '18 at 22:50