creating a login page in php and mysql

Question

I'm making a forum in PHP and MySQL (not a real one, just for practicing). and i made a login page. The problem is that for some reason after I'm writing the username and password and sending it, it keeps getting to the point which it gives me the echo of "wrong password or username". Yet every detail is correct (the names of the columns and the tables in my database are exactly the same in this code and the username and password are correct) so I'm guessing it's not the problem. Any help would be appreciated.

<?php

    if(!empty($_POST['username'] ) && !empty($_POST['password'])){
        require_once 'dbConnect.php';
        $user = mysql_query("SELECT `nickname` , `id` FROM `users` WHERE `nickname` =". $_POST['username'] . "AND `password` = " .sha1($_POST['password']));

        if($user){
            $data = array();                 
            $data = mysql_fetch_assoc($user);
            session_start();
            $_SESSION['username'] = $data['nickname'];
            echo $_SESSION['username'];
        }
        else {
            echo "wrong password or username";
        }
    }
    else {
        echo "enter a username and a password";
    }
?>
<form action="index.php?page=login" method="post">
    <label>username:
        <input type="text" name="username" required/>
    </label>
    <label>password:
        <input type="password" name="password" required/>    
    </label>
    <input type="submit" value="login!" />
</form>

If you're not checking for errors, add error reporting to the top of your file(s) right after your opening ` — Funk Forty Niner, Aug 01 '14 at 14:27
Plus, was the password stored using `sha1`? Plus, your POST variables quotes are off. Your present code is open to [**SQL injection**](http://stackoverflow.com/q/60174/). Use [**`mysqli_` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO**](http://php.net/pdo) with [**prepared statements**](http://php.net/pdo.prepared-statements). — Funk Forty Niner, Aug 01 '14 at 14:28
In your query you do not wrap name and password in quotes and there is no whitespace after name before `AND`. — Cthulhu, Aug 01 '14 at 14:30
the password is stored with sha1. i will check the error reports now — kshayk, Aug 01 '14 at 14:30
You also have to escape username and password in your query, adding the backticks before you insert the $_POST. Also please remember to never use $_POST or any other user entered content in your mysql queries without something like mysql_real_escape_string in order to avaoid mysql injection. — jbrosi, Aug 01 '14 at 14:31
Just to quasi-fix this `$username=$_POST['username'];` then `...= '". $username . "'...` 50% - Then do the same for your password. — Funk Forty Niner, Aug 01 '14 at 14:34
You also have a double quote missing at the end. So do `$pass=sha1($_POST['password']);` then `AND password = '".$pass."'");` — Funk Forty Niner, Aug 01 '14 at 14:39
but when i put the $_POST['username'] inside a var it gives me this - Notice: Undefined index: username in C:\xampp\htdocs\mys\login.php on line 8 — kshayk, Aug 01 '14 at 14:41
The variables need to be declared before your query, placed just below `require_once 'dbConnect.php';` - You should also use `isset()` — Funk Forty Niner, Aug 01 '14 at 14:43
wait a second i think it works! i did the $username=$_POST['username']; then ...= '". $username . "'... and now i see the echo of the $_SESSION['username']. so that means it worked right? — kshayk, Aug 01 '14 at 14:45
Try it with a different/bad password, that will tell you for sure if it worked or not. — Funk Forty Niner, Aug 01 '14 at 14:48
yeah it works. thanks everyone for your time i do really appreciate your afford! :) — kshayk, Aug 01 '14 at 14:50
You're welcome. I have formulated an answer below in order to close the question. @kshayk — Funk Forty Niner, Aug 01 '14 at 15:03

score 2 · Answer 1 · answered Aug 01 '14 at 14:39

the problem is that yout user and password columns are of type text / varchar. In order to produce a correct query, you have to wrap your values in quotes.

For example:

SELECT * FROM users WHERE username='name' AND password='mypassword'

So you have to alter your existing query like this:

$user = mysql_query("SELECT `nickname` , `id` FROM `users` WHERE `nickname` ='". $_POST['username'] . "' AND `password` = '" .sha1($_POST['password']) . "'");

Mind the single quotes around your values.

In addition: The use of mysql_query is deprecated in PHP. Please use the PHP PDO Class. It supports parameter binding. In your case SQL Injection would be possible.

Missing a double quote. – Funk Forty Niner Aug 01 '14 at 14:42 — Funk Forty Niner, Aug 01 '14 at 14:42
Thanks @Fred-ii- - added the missing quote. – madhippie Aug 01 '14 at 14:43 — madhippie, Aug 01 '14 at 14:43

score 1 · Accepted Answer · edited May 23 '17 at 12:12

Comments to answer/answer.

There are a few things wrong with your code and here is what I recommend you do.

Start by defining your variables: (placed below require_once 'dbConnect.php';)

$username = $_POST['username'];
$pass = sha1($_POST['password']);

or, for some added security till you switch to prepared statements:

mysql_real_escape_string($_POST['username'])
mysql_real_escape_string(sha1($_POST['password']))

Then, change:

$user = mysql_query("SELECT `nickname` , `id` FROM `users` WHERE `nickname` =". $_POST['username'] . "AND `password` = " .sha1($_POST['password']));

to

$user = mysql_query("SELECT `nickname` , `id` FROM `users` WHERE `nickname` = '".$username."' AND `password` = '".$pass."'");

As it stands, your present code is open to SQL injection. Use mysqli_ with prepared statements, or PDO with prepared statements.

Add error reporting to the top of your file(s) right after your opening <?php tag error_reporting(E_ALL); ini_set('display_errors', 1); during development.

Also or die(mysql_error()) to mysql_query() to signal any errors found.

Am really sorry ..my internet connection was lost so i want able to edit my answer ..anyway the op accepted the answer ..:) — Avinash Babu, Aug 01 '14 at 16:17
@AvinashBabu Not a problem. Yeah, I had put everything together, cheers :) — Funk Forty Niner, Aug 01 '14 at 22:39

score 0 · Answer 3 · answered Aug 01 '14 at 14:32

0

You need to wrap the name and password you provided in quotes.

Concatenating the sql query can solve your error.

answered Aug 01 '14 at 14:32

Avinash Babu

6,171
3
21
26

i have re redited thanks for the mention ..and i dont know why the downvote – Avinash Babu Aug 01 '14 at 14:33
I think it would be best if you provided an example. Quotes can be anything and how they're placed. – Funk Forty Niner Aug 01 '14 at 14:36

mahesh247 · Answer 4 · 2014-08-01T14:49:07.557

-1

there is a mistake in your sql statement,you should not use the quotes in field name and wrap username and password provided

$user = mysql_query("SELECT nickname, id FROM users WHERE nickname ='". $_POST['username'] . "' AND password = '" .sha1($_POST['password'])."'");

edited Aug 01 '14 at 14:49

answered Aug 01 '14 at 14:35

mahesh247

199
3
8

I did not downvote, but probably because of `.sha1($_POST['password']."'"));` where the double quote is misplaced. It should read as `.sha1($_POST['password']."')");` – Funk Forty Niner Aug 01 '14 at 14:45
@mahesh247 - what's wrong with using backticks around field names? – andrewsi Aug 01 '14 at 14:54
in navicat in query I used the quotes around field names and it returned the fieldname instead of the real value, btw I don't use the quotes around the field names and thought it gives error thats all...bt thanks @andrewsi for clearing my confusion. – mahesh247 Aug 01 '14 at 15:10

creating a login page in php and mysql

4 Answers4