php login error checking script with sql

Question

I am making a website and login feature which is connected to a database. I have written the script and it does login and logout but it just log in even if the form fields are empty for example if I don't put anything in username and password field it still logs in. I have checked and tested my database is connected with the PHP file on the server. I have tried so many things after researching online but all waste of my time and I still am unable to get it working properly,

my code is :

<?php
   if (isset($_POST['loginsubmit'])){

    $query = "SELECT user_id, password FROM users WHERE username = '".$_POST['username']."'";
    $result = mysql_query($query) or die (mysql_error());
    $row = mysql_fetch_array($result);

if ($row['password'] == $_POST['pword']){

    $_SESSION['id'] = $row['user_id'];
    $_SESSION['loggedin'] = true;
}else{

    $_SESSION['id'] = 0;
    $_SESSION['loggedin'] = false;

}}

if (isset($_SESSION['loggedin'])==true){

    echo "<p> Hello " . "$_POST[username]"." <a href='logout.php'>LogOut </a> </p>";
}else {
 echo "<p>You are NOT logged in</p>\n";
}

What I am looking to do is to check:

A username has been entered in the form
A password has been entered in the form
The username/password combination entered in the form are correct and user actually exists in the database.

Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://jayblanchard.net/demystifying_php_pdo.html). [You need to prevent SQL Injection!](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Apr 16 '15 at 21:28
thanks Jay Blanchard for your reply, i need to implement that error checking in place so far it is working but it does log in without anything in the form fields — , Apr 16 '15 at 21:30

Rasclatt · Answer 1 · 2015-04-16T22:45:58.960

See if doing a "set-or-not" approach works for you. Aside from not using any of the mysql_ functions, I have notated some things to look into:

<?php
    // You probably have this, but make sure session_start() is on the top of page
    session_start();
    if (isset($_POST['loginsubmit'])){
            // If you use PDO or mysqli_ with prepared statements,
            // you don't need to escape the post, but in your case
            // you do (sql injection hazard)
            $query  =   "SELECT user_id, password FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."'";
            $result =   mysql_query($query) or die (mysql_error());
            $row    =   mysql_fetch_array($result);

            // You really need to insert encrypt/decrypt routine here for the password
            // Storing plain-text passwords is bad news.

            if (isset($row['password']) && ($row['password'] == $_POST['pword']))
                $_SESSION['id'] =   $row['user_id'];

            // Don't even set a session attribute here.
            // When you check stuff for logged in or logged out,
            // you would just check if the $_SESSION['id'] is even set
            // If it is, logged in, if not, then logged out
        }

    // The problem in your code is likely this line:
    // if (isset($_SESSION['loggedin'])==true)
    // Should be: if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true)
    // That being said, I am not sure the point of setting session variables
    // in the instance of not logged in.

    // Check that it's set at all
    if(isset($_SESSION['id']))
        // You need to strip_tags or htmlspecialchars() this post
        echo "<p> Hello " . htmlspecialchars($_POST['username'])." <a href='logout.php'>LogOut </a> </p>";
    else
        echo "<p>You are NOT logged in</p>\n";
?>

wow Rasclatt Many thanks for your input but m just a bigginer with php and sql and only a small simple 3/4 pages website nothing big. i absolutely have no clue what you just said :( — , Apr 16 '15 at 22:43
Ha ha ha, that's funny. Ok, well what I am saying is you are setting a `$_SESSION['loggedin']` whether you log in or not which doesn't make sense. Try my code and see if it works — Rasclatt, Apr 16 '15 at 22:51
As for all the comments, when you get a bit further in your coding experience, what I have notated will make sense. — Rasclatt, Apr 16 '15 at 22:52

php login error checking script with sql

1 Answers1