Login Form won't take login information

Question

I have a database set up with email and password, I'm trying to use the code below to check the username(email) and password to make sure they're correct and if they are send them to /cms if they don't match, a pop up box comes up. I'm only getting pop up to work. Can you see any issues that would be causing that?

session_start();

require_once("../mydbpassword.php");
if($_POST['username']) {

$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM agents WHERE email = '$username' AND pword = '$password'";
$result = mysqli_query($mysqli,$sql);

$email = $row['email'];
$pword = $row['pword'];

if(($username != $email) || ($password != $pword)) {
echo'<script type="text/javascript">
    window.alert("Your login information is wrong, try again!");
    window.location="/cms/login"
    </script>';
}
else {
$row = mysqli_fetch_assoc($result);
$_SESSION['admin'] = $row['$email'];
header("Location: /cmsS");
exit();

}
  }

Where do you think `$email` and `$pword` are defined? Im a different Josh, by the way. :) — Josh, Jun 30 '12 at 23:32
Switch `if($_POST['username']) {`to `if(isset($_POST['username'])) {` — OptimusCrime, Jun 30 '12 at 23:45
Store your passwords [securely](http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html). — Quentin, Jun 30 '12 at 23:46
@OptimusCrime - the problem is that even when I put the correct user/pass in, I get the window alert... — Josh, Jun 30 '12 at 23:49
@Josh: It's the sum of minor coding mistakes that lead you to that problem. Review the logic and functions used. Here I posted a solution below. — , Jul 01 '12 at 00:10
I dont get why I always get a wrong password message when the password and user are correct! — Josh, Jul 01 '12 at 01:03

score 0 · Answer 1 · answered Jun 30 '12 at 23:57

0

Switch

$result = mysqli_query($mysqli,$sql);

To

$result = mysqli_fetch_assoc(mysqli_query($mysqli,$sql));

In addition, you have many things that need to be fixed. Like hashing passwords, secure queries, a better redirect/error-system (js could be diabled or easily hacked/changed).

answered Jun 30 '12 at 23:57

OptimusCrime

14,662
13
58
96

thanks. i still get an error even though the user and pword are correct! Do you know why? – Josh Jul 01 '12 at 00:04

score 0 · Accepted Answer · answered Jul 01 '12 at 00:05

The variable could be set but empty.

if($_POST['username'])

by

if (!empty($_POST['username']))

Prevent MySQL injections, fetch only the password.

$sql = "SELECT * FROM agents WHERE email = '$username' AND pword = '$password'";

by

$sql = 'SELECT password FROM agents WHERE email = "'.mysql_real_escape_string($username).'"';

Proper MySQL string association

$result = mysqli_query($mysqli,$sql);

by

$result = mysqli_fetch_assoc(mysqli_query($mysqli,$sql));

And a check that actually make sense

if ($password != $pword || empty($pword)) {
    echo'<script type="text/javascript">
    window.alert("Your login information is wrong, try again!");
    window.location="/cms/login"
    </script>';
}

I replaced everything here and I still get the same problem...when I login with the correct username and password, I still get the window alert telling me my user/pass is wrong... — Josh, Jul 01 '12 at 00:18
At least it's a step forward. Maybe somebody else has a solution. — , Jul 01 '12 at 00:30

Login Form won't take login information

2 Answers2

The variable could be set but empty.

Prevent MySQL injections, fetch only the password.

Proper MySQL string association

And a check that actually make sense