What's wrong with this php Login Code?

Question

No matter what I do I always get "Wrong Username or Password" Already tried different types of solutions but none helped.

//header('Access-Control-Allow-Origin: *');

include('db.php');

// username and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];

// To protect MySQL injection 
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){


        echo '{"type":"1",'.
            '"item": "Logged In"'.
            '}';
}
else {
echo '{"type": "0",'.
            '"item":"Wrong Username or Password"'.
            '}';
}

Can anyone help please? Thank you in advanced!

You do not have EXACTLY 1 row matching that query. Try echoing the query and running it manually. — Jessica, Jun 26 '13 at 15:06
You guys are all funny, thank you for your jokes. It didn't let me put the code and I already got -5 for this question while trying to Edit... — Rotem S, Jun 26 '13 at 15:06
You'll see the question's score increase again once the question makes sense. — Daniel Hedberg, Jun 26 '13 at 15:08
Try to echo the query and then put in your SQL client to see if there are rows matching the query. However, is it possible to have more than one match, so your check $count==1 to be invalid, since you have 2 or more matches? — Royal Bg, Jun 26 '13 at 15:08
`var_dump($sql)` and run the query on the database directly. That way, you can check the query and result, which should help you to debug it — billyonecan, Jun 26 '13 at 15:08
@Jessica I tried Count>0 and it didn't worked. Is what you suggested isn't the same ? — Rotem S, Jun 26 '13 at 15:08

cipher · Accepted Answer · 2013-06-26T15:27:22.503

3

There could be various reasons for this.

Either your username or your password is incorrect (it's worth to check this type of errors)
You have problems with your databse connection! (Enable error reporting and debug things)
You have problems with the posted data. It happens sometimes when you GET instead of POST unknowingly.
Or, your password or usename contains string which was escaped and not matched properly!

EDIT

A couple of other suggestions for you! Always use mysql prepared statements for maximum security, and function with mysql_ are deprecated use mysqli_ alternatives instead. Your use of stripslashes suggests me that you are using magic_quotes_ which is again discouraged! :)

edited Jun 26 '13 at 15:27

answered Jun 26 '13 at 15:13

cipher

2,414
4
30
54

Yep, Instead of $_REQUEST I did $_POST. Thank you :) – Rotem S Jun 26 '13 at 15:22
:) Good luck with your code! – cipher Jun 26 '13 at 15:24
@RotemShukron - If that's the solution, then you haven't configured PHP to display error messages. That's something you need to fix before you go further; it's impossible to code without the aid of error messages. Here's a [brief explanation](http://stackoverflow.com/a/5680885/13508). – Álvaro González Jun 26 '13 at 15:27

score 0 · Answer 2 · answered Jun 26 '13 at 15:24

I suggest you have a look at the appropriate manual pages for the functions you use and pay attention to the return values. For instance, if you go to mysql_query() and scroll past the «This extension is deprecated as of PHP 5.5.0, and will be removed in the future» warning you'll see this:

For SELECT [...] and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error.

Similarly with mysql_num_rows():

The number of rows in a result set on success or FALSE on failure.

Everything suggests that one of them is returning FALSE.

Relying on the resultset count to determine whether there are matches is a kind of risky technique (it can work or not depending on your settings). It's more rock solid to run a COUNT(*) or just attempt to fetch the first row.

Some random conclusions:

Don't omit error checking.
If I were you, I wouldn't waste time learning an obsolete extension.
stripslashes() suggests that magic_quotes is enabled in your server. If that's the case, please disable it before corrupted data pours in.

score 0 · Answer 3 · edited Jun 26 '13 at 16:54

An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it was on by default before PHP 5.4), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.

mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement.

As per My view mysql_real_escape_string this function escapes special charecter from your password also and from username. every time when any special charecter found in username or in password this will remove that. and always gives number of row count zero...

What's wrong with this php Login Code?

3 Answers3