Error in if statement for user login page PHP

Question

I am creating this page for as a login system, the database connects fine, I don't see any errors or get any errors, the problem is when I enter right username and password i get this:

"SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY..."

and when I enter an incorrect username and password I get a blank page.

<?php
include_once("db_connection.php"); 

$userName = $_POST['user'];
$password =  $_POST['password'];

if($userName == "" || $password == ""){
echo "Fill in both field";
exit;
}

function SignIn(){
session_start();   //starting the session for user profile page
if(!empty($_POST['user']))   //checking the 'user' name which is from Sign-In.html, is it empty or have some text
{
    $query = mysql_query("SELECT * FROM Customer WHERE userName = '$_POST[user]' AND password = '$_POST[password]'") or die(mysql_error());
    $row = mysql_fetch_array($query) or die(mysql_error());
    if(!empty($row['userName']) AND !empty($row['password']))
    {
        $_SESSION['userName'] = $row['password'];
        echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";

    }
    else
    {
        echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
    }
}
}
if(isset($_POST['submit']))
{
SignIn();
}

?>

here is the HTML so everyone can see what I am trying to do:

<!DOCTYPE HTML>
<html>
<head>
<title>Sign-In</title>
<link rel="stylesheet" type="text/css" href="style-sign.css">
</head>

<body id="body-color">
    <div id="Sign-In">
        <fieldset style="width:30%"><legend>LOG-IN HERE</legend>
            <form method="POST" action="connectivity.php">
                User <br><input type="text" name="user" size="40"><br>
                Password <br><input type="password" name="password" size="40"><br>
                <input id="button" type="submit" name="submit" value="Log-In">
            </form>
        </fieldset>
    </div>
</body>

</html>

Did you CHECKED it for example by writing out the query and executing it manually ? — SergeS, Feb 27 '14 at 15:52
[`Read this article on SO`](http://stackoverflow.com/q/60174/) and dump `mysql_*` — Funk Forty Niner, Feb 27 '14 at 16:09
It doesn't look like you're doing any [SQL escaping](http://bobby-tables.com/php) here and you have some severe [SQL injection bugs](http://bobby-tables.com/). [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and provides a simple, reliable way of adding data to queries. A guide like [PHP The Right Way](http://www.phptherightway.com/) outlines the recommended best practices when interfacing with databases. Storing passwords as plaintext with a SQL injection vector is **VERY VERY VERY VERY BAD**. — tadman, Feb 27 '14 at 17:11

jx12345 · Accepted Answer · 2014-02-27T17:01:28.173

1

Try:

 $query = mysql_query("SELECT * FROM Customer WHERE userName = '{$_POST['user']}' AND password = '{$_POST['password']}'") or die(mysql_error());

Or to be safe:

 $query = mysql_query("SELECT * FROM Customer WHERE userName = '" . mysql_real_escape_string($_POST['user']) . "' AND password = '" . mysql_real_escape_string($_POST['password'] . "'") or die(mysql_error());

Also i think you might want to use:

$row = mysql_fetch_assoc($query);

Rather than:

$row = mysql_fetch_array($query);

edited Feb 27 '14 at 17:01

answered Feb 27 '14 at 15:52

jx12345

1,650
2
22
40

Could you try: $query = mysql_query("SELECT * FROM Customer WHERE userName = '$userName' AND password = '$password'") or die(mysql_error()); – jx12345 Feb 27 '14 at 15:57
Sorry, there was a syntax error in that first post, have updated now to correct it, it should be as follows: $query = mysql_query("SELECT * FROM Customer WHERE userName = '{$_POST['user']}' AND password = '{$_POST['password']}'") or die(mysql_error()); – jx12345 Feb 27 '14 at 16:00
I am just getting a blank page when i try is there any other ways to create a proper login system@jx12345 – user3311898 Feb 27 '14 at 16:01
With the latest code you sent i tried still got back the same issue I had from beginning @jx12345 – user3311898 Feb 27 '14 at 16:02
I think there's some other error that's not been reported properly: Could you also try updating: $row = mysql_fetch_array($query) or die(mysql_error()); to $row = mysql_fetch_assoc($query) or die(mysql_error()); – jx12345 Feb 27 '14 at 16:03
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/48596/discussion-between-jx12345-and-user3311898) – jx12345 Feb 27 '14 at 16:05
Sorry to say this but again the same problem :( @jx12345 – user3311898 Feb 27 '14 at 16:06

score 1 · Answer 2 · answered Feb 27 '14 at 15:53

too many issues in your code,

1: you're wide open for sql injection because you're not sanitizing your variables.

2: you shouldn't still be using mysql_* as they are deprecated.

3: try your query like this:

mysql_query("SELECT * FROM Customer 
             WHERE userName = '".mysql_real_escape_string($_POST['user'])."' 
             AND password = '".mysql_real_escape_string($_POST['password'])."'");

4: Check your spelling, I spotted ENTERD which should be ENTERED

score 1 · Answer 3 · answered Feb 27 '14 at 15:54

WARNING! WARNING!

Your code is vulnerable to injection. All I have to do is enter the username of my choice, and the password ' or '1 and it will let me in to anyone's account!

Use mysql_real_escape_string to escape the values and make them safe.

ALSO: You appear to be saving passwords as PLAINTEXT strings. This is bad. I mean really, really, really, REALLY bad. I cannot emphasize how monumentally bad this is. See the Hitchhiker's Guide on the size of the universe for an idea.

... Unless you're saving them in an encrypted format, and trying to access them as plaintext. That'll never work, you need to encrypt whatever the user inputs and see if it encrypts to the same thing.

How about adding one or two `#` to `WARNING` ;-) – Funk Forty Niner Feb 27 '14 at 15:55 — Funk Forty Niner, Feb 27 '14 at 15:55
whats the best way to sanitize it? @Nietthedarkabsol – user3311898 Feb 27 '14 at 16:03 — user3311898, Feb 27 '14 at 16:03

score 0 · Answer 4 · edited May 23 '17 at 12:20

0

Your SQL query string is using the literal value of $_POST[user], you should be concatenating the actual value of that into your String. And actually you should be escaping it to prevent SQL injection since this is posted from a client.

This thread explains injection: How can I prevent SQL injection in PHP?

edited May 23 '17 at 12:20

Community

1
1

answered Feb 27 '14 at 15:50

Matt Pileggi

7,126
4
16
18

Isn't $_POST[user] getting the username entered on the HTML side. @MattPileggi – user3311898 Feb 27 '14 at 15:52
It is, but your usage is not substituting the variable but instead passing the exact string '$_POST[user]' to MYSQL which isn't matching anything (and not what you intended) – Matt Pileggi Feb 27 '14 at 15:54

score 0 · Answer 5 · answered Feb 27 '14 at 15:53

0

Replace your SQL Statement with this:

SELECT * FROM Customer WHERE userName = '$userName' AND password = '$password'

That's assuming you don't want to do any sort of sanitizing. If you do, change your first lines to:

$userName = mysql_real_escape_string($_POST['user']);
$password = mysql_real_escape_string($_POST['password']);

answered Feb 27 '14 at 15:53

Tom

1,275
1
18
51

I was thinking of SANITIZING later on – user3311898 Feb 27 '14 at 15:57
Do it before the SELECT statement, otherwise you'll get hacked with MySQL Injection. – Tom Feb 27 '14 at 16:01
Deal with your escaping **NOW**, like do not code another thing until you've fixed it. – tadman Feb 27 '14 at 17:10

Error in if statement for user login page PHP

5 Answers5