-3

I hope you are all having a wonderful day so far. I have a question in regards to PHP and MYSQL Login page that I created. It seems to be not working. Thank you for the help in advance.

<?php
$db = mysqli_connect("localhost", "root", "", "test");

if (isset($_POST['login'])) {

$username = mysqli_real_escape_string($db,$_POST['username']);
$password = mysqli_real_escape_string($db,$_POST['password']);

$query = "SELECT * FROM users WHERE Username='$username' AND Password='$password'";
$result = mysqli_query($db,$query);
$count = mysqli_num_rows($result);

if($count == 1) {
   session_register("username");
   header('location: home.html');
}else {
   echo "Your Login Name or Password is invalid. Please try again.";
} }?>
forestnotgump
  • 3
  • 2
  • what errors are you getting? – nelsonsule Nov 12 '20 at 07:59
  • You should also look up recent php tutorials, especially look for [prepared statements](https://www.php.net/manual/en/mysqli.prepare.php) (to prevent sql injection) and password hashing ([password_hash()](https://www.php.net/manual/en/function.password-hash.php) and [password_verify()](https://www.php.net/manual/en/function.password-verify.php)). Right now this login is a dream for everyone who wants to get access to your database. – LLJ97 Nov 12 '20 at 08:58
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Nov 12 '20 at 11:01
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Nov 12 '20 at 11:01

1 Answers1

0

I am create simple login page using php pdo. and it is work successfully. so please you try this code

 <?php
    session_start();

    //This is a database connection
    $host_name = "localhost";
    $user_name = 'root';
    $db_name = "stackoverflow";
    $pass = '';
    
    $conn = new PDO("mysql:host=$host_name; dbname=$db_name;", $user_name, $pass);
?>

<!DOCTYPE html>
<html>
<head>
    <title>Login</title>
</head>
<body>
    <!--- This is a login form ----->
    <form method="post">
        <input type="text" name="uname" placeholder="Username" required /><br><br>
        <input type="password" name="upass" placeholder="Password" required /><br><br>
        <button type="submit" name="login-submit" >Login</button>
    </form>
</body>
</html>

<?php

if (isset($_POST['login-submit']))
{
    $uname = $_POST['uname'];  //This is a username
    $pass = $_POST['upass'];   //This is a password
    
    $sql = "SELECT * FROM login WHERE username LIKE ? AND password LIKE ?"; // This is a sql check username and password in our database
    
    $checkUsernameAndPassword = $conn->prepare($sql);
    $checkUsernameAndPassword->execute([$uname, $pass]);
    
    if ($checkUsernameAndPassword->rowCount() == 1) //check if the sql return row 1 then connction success otherwise i will show error.
    {
        $_SESSION['username'] = $uname;
        header('location: index.php');
    }
    else
    {
        echo "<h3>Please enter the valid username or password</h3>";
    }
}
?>
Viral Ghodadara
  • 70
  • 1
  • 6