What is wrong with this php login code?

Question

Im setting up a php log in for my website. I have the php code in a seperate php file and I am calling the form action for that php file. All the names from the html do match the ones in the php. When I click Login regardless whether it has any input or not, it redirects me to an empty page with a address "mywebsite.com/login.php?username=&password=" . When it should echo that the username or password is invalid.

><?php 

session_start();
//Creates connection
$con = mysqli_connect("my info and stuff") or die("Error " . mysqli_error($con));
$db = mysqli_select_db($con,"users");

 if(isset($_POST["Login"])){
    $username = mysqli_real_escape_string($connect, $_POST["username"]);
    $password = mysqli_real_escape_string($connect, CRYPT_MD5($_POST["password"]));
    $query = mysqli_query("SELECT id, username FROM users WHERE username = '$username' AND password = '$password' ");   
    $result = mysqli_query($query);
    $row = mysqli_num_rows($result);
    if($row == 1){
        session_register("username");
        session_register("password"); 
        header("location: profile.php");
    }
    else {
        echo ("Wrong Username or Password");
    }
}

?>

If theres a more efficient ways of making this, would appreciate the suggestions. Still very new to php.

in your form you mentioned the method as 'get',that is why it is appending parameters to url and sending,but in backend u are using $_POST[]. nothing will be in $_POST[].so it is not showing — Bhadra, Nov 22 '13 at 07:06
Stop reading PHP tutorials that are a decade old. Your code is going to break whenever you upgrade PHP. — kittycat, Nov 22 '13 at 07:17

score 4 · Answer 1 · edited May 23 '17 at 11:50

This is caused when you've not set your form method attribute value to POST so set that to post, using no method attribute will set it to GET instead and your block of code will be ignored as you are using if(isset($_POST['Login']) {} so as no Login isset, the code inside your if condition will be skipped.

Also, there are many many issues in your code, you are calling your query twice which is not required, not sanitizing your inputs, using mysqli_real_escape_string() is not enough consider learning a bit more about the basics and than get started with your project.

Also you told that you are new to PHP, so consider using PDO instead of mysqli_(), than you don't have to worry much about sanitizing your user inputs...

Here's a nice PDO tutorial and here to get started with.. Surely things will bounce over your head at first attempt but don't leave it..

Whoever DV'd this answer hasn't got a clue what they are talking about. This is the correct answer. — vascowhite, Nov 22 '13 at 07:12

score 1 · Answer 2 · answered Nov 22 '13 at 07:05

1

This is one of the probem, your are trying to execute sql twice,

$query = mysqli_query("SELECT id, username FROM users WHERE username = '$username' AND password = '$password' ");   
$result = mysqli_query($query);

You have already executed query, use the $query variable directly here,

$row = mysqli_num_rows($query);

answered Nov 22 '13 at 07:05

chandresh_cool

11,753
3
30
45

then it should show an sql error.its not showing any error.so it is not even coming to this part of the code. (actually this is an error but there is one more even before it)so the error has to be before that line – Bhadra Nov 22 '13 at 07:13
See My answer starts with this is one of the problem...it was not stated as the only error. – chandresh_cool Nov 22 '13 at 07:13
as your answer is partial to his current situation, i thought may be i ll add a bit to it.i did nt down vote you. I just added some contetn in support of you – Bhadra Nov 22 '13 at 07:15

score 0 · Answer 3 · answered Nov 22 '13 at 07:06

change following

$query = mysqli_query("SELECT id, username FROM users WHERE username = '$username' AND password = '$password' ");   
$result = mysqli_query($query);
$row = mysqli_num_rows($result);

to

$result = mysqli_query("SELECT id, username FROM users WHERE username = '$username' AND password = '$password' ");   
$row = mysqli_num_rows($result);

mysqli_query use to execute query

score 0 · Answer 4 · answered Nov 22 '13 at 07:29

it is simple login example

<?php 
        //for login.php page
        session_start();

        if(isset($_POST['login']))
        {
        $username=$_REQUEST['username'];
        $password=$_REQUEST['password'];
        $password=md5($password);

    //1st query whish will fetch record and then count tham
        $query="select * from users where username='$username' and password='$password'";
        $rs= mysqli_query($query);
        @$n=mysqli_num_rows($rs);
                   or
    //2nd query which will fetch only quantity it is very usefull
        $query="select count(*) from users where username='$username' and password='$password'";
        $n=mysqli_query($query);


        if($n==1)
        {
        $_SESSION['username']=$username;
        $_SESSION['password']=$password;
        header("location: profile.php");
        }
        else 
        {
        echo ("Wrong Username or Password");
        }
        }
        ?>


        <?php 
        //for profile.php page
        session_start();
        $username=$_SESSION['username'];
        $password=$_SESSION['password'];
        echo $username."<br />".$password;
        ?>

What is wrong with this php login code?

4 Answers4