-2

I'm making a php login that will redirect you to "admin.php" when you have logged in, this is my code so far, it worked when I echoed the rows with the username and password in, but when I added in a if and else statement it just gives me a blank screen with no error or anything. Here is my code:

NOTE: I have changed the mysql database details, but I have tested them and they all connect.

  <?php
mysql_connect("mysqlserver", "myusername", "mypassword);
mysql_select_db("mydatebase");
?>
<html>
<head>
</head>
<body>
<?php
if(isset($_POST['submit'])){
$user = $_POST['user'];
$pass = $_POST['password'];

$result = mysql_query("SELECT * FROM user WHERE name='$user' AND pass='$pass'");
$num = mysql_num_rows($result);
if($num == 0) {
echo "Incorrect UserName or Password. Please try again."; session_start();
}else{
session_start();
$_SESSION['user'] = $user;
header("Location: admin.php");
}
?>
<form action='login.php' method='post'>
UserName: <input type='text' name='user' /><br />
Password: <input type='password' name='password' /><br />
<input type='submit' name='submit' value='Login' />
</form>
<?php
 }
?>
</body>
</html>
didierc
  • 14,572
  • 3
  • 32
  • 52
tom
  • 1
  • 1
  • 3
  • Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). – Gumbo Nov 30 '14 at 14:15
  • I intend on securing everything up once the code actually works. – tom Nov 30 '14 at 14:23

3 Answers3

1

You have an error in your PHP script and error_reporting (or display_error) is turned off, and therefore you are seeing a white blank page.

This is the error: you forgot a double quote

mysql_connect("mysqlserver", "myusername", "mypassword);
-----------------------------------------------------^

Try this:

mysql_connect("mysqlserver", "myusername", "mypassword");

If this doesn't fix your problem, you must have an error somewhere else.

Try adding these two lines at the begining of your PHP script to find the error:

error_reporting(E_ALL);
ini_set('display_errors', 'On');
Latheesan
  • 23,247
  • 32
  • 107
  • 201
  • The MySQL connect part as i said i had quickly edited to take out my details of MySQL server i accidentally removed a quote. i have added the error reporting part and i still have no errors just a blank page – tom Nov 30 '14 at 14:16
1

Seems you have syntax error in

mysql_connect("mysqlserver", "myusername", "mypassword);

you have lack in double quote this should be

mysql_connect("mysqlserver", "myusername", "mypassword");

and the way of connection must be this way

$con = mysql_connect("mysqlserver", "myusername", "mypassword"); mysql_select_db("mydatebase",$con);

P.S Stop using mysql_connect instead use mysqli or PDO the reason is mysql is now Deprecated

Community
  • 1
  • 1
ryvasquez
  • 158
  • 8
  • As i said to the previous answerer, I accidentally removed that when i took my MySQL credentials out. The one that is being hosted does have that quote. – tom Nov 30 '14 at 14:21
  • @tom see my answer below – meda Nov 30 '14 at 14:22
1
  1. upgrade to mysqli_ or at least use mysql_real_escape()
  2. Split the 2 files
  3. Blank page means, you don't have error reporting turned on so enable it.

login.html: 
<!DOCTYPE html>
<html>
<head>
</head>
<body>
    <form action='login.php' method='post'>
        UserName: <input type='text' name='user' /><br />
        Password: <input type='password' name='password' /><br />
        <input type='submit' name='submit' value='Login' />
    </form>
</body>
</html>

login.php:

<?php
if(isset($_POST['user'], $_POST['password'], $_POST['submit'])){

    $con = mysql_connect("mysqlserver","username","password", "mydatebase");
    if(!$con)
    { 
       die('Could not connect : ' . mysql_error());
    }

    $user = $_POST['user'];
    $pass = $_POST['password'];


    $query = sprintf("
             SELECT * FROM user WHERE name='%s' AND pass='%s'",
                mysql_real_escape_string($user),
                mysql_real_escape_string($pass);


    $result = mysql_query($query,$con);

    if(!$result)
    {
        die('Could not execute : ' . mysql_error());
    }

    if(mysql_num_rows($result) > 0){
        session_start();
        $_SESSION['user'] = $user;
        header("Location: admin.php");
    }else{
        echo "Incorrect UserName or Password. Please try again.";
    }

    mysql_close($con);
}else{
    echo "missing form values";
}
meda
  • 45,103
  • 14
  • 92
  • 122
  • when using that i get Parse error: syntax error, unexpected '{' in /home/a7516168/public_html/login.php on line 2 – tom Nov 30 '14 at 14:30
  • @tom sorry I missed closing parenthese here `if(isset($_POST['user'], $_POST['password'], $_POST['submit'])){` I hope you have a decent IDE because i did not test this – meda Nov 30 '14 at 14:31
  • There were some errors ive fixed them and i get this error 'no database selected' whats gone wrong? – tom Nov 30 '14 at 14:37
  • @tom in your code you select database after connection, mysql constructor allows you to pass the database name , like this `$con = mysql_connect("mysqlserver","username","password", "mydatebase");` please adjust the credentials – meda Nov 30 '14 at 14:42
  • i have done that i added in the database to the end like that,$con = mysql_connect("blah.000webhost.com","blahblah_root","*******", "*******_blogdb"); i have checked the details with the hosting panel and it says they are correct. – tom Nov 30 '14 at 14:45
  • @tom is this the first time you attempt to login? if the php is on the same server try with localhost instead of the domain name for the server address – meda Nov 30 '14 at 14:48
  • I have fixed it by selecting the database by using mysql_select_db("mydatebase",$con); – tom Nov 30 '14 at 14:52