-2
<body>
    <div class="login-card">
        <h1>Log-in</h1><br>
        <form action="incident-form.php" method="POST">
            <input type="text" name="username" placeholder="Username">
            <input type="password" name="password" placeholder="Password">
            <input type="submit" name="submit" class="login login-submit" value="Login">
        </form>

        <div class="login-help">
            <a href="#">Register</a> <a href="#">Forgot Password</a>
        </div>
    </div>

</body>
</html>

<?php
    $connect = mysql_connect("localhost", "root", "");
    mysql_select_db("aid");

    if (isset($_POST['submit'])) {
        $username = $_POST['username'];
        $password = $_POST['password'];

        $query = mysql_query("SELECT * FROM users WHERE username='".$username."'");

        if (mysql_num_rows($query) > 0){
            while($row = mysql_fetch_assoc($query)) {
                if ($row = ['password'] == $password){
                    echo "Successfully logged in!";
                }else{
                    echo "Wrong password";
                }
            }
        }else{
            echo "Username not found";
        }
    }
?>

I'm using phpMyAdmin with PHP 5.5. My db name is aid and table is users. The form is there, the db and table are there but it goes straight to the target page on submit without checking the users.

Francisco
  • 10,918
  • 6
  • 34
  • 45
Co2
  • 343
  • 1
  • 14
  • Change this: if `($row = ['password'] == $password){` to this: `if ($row['password'] == $password){`. – RockMyAlgorithm Nov 23 '15 at 02:13
  • Reading through your question, are you expecting the php script to run on the form submit before the form moves to `incident-form.php`? – dops Nov 23 '15 at 02:23
  • @RockMyAlgorithm, thanks but still does not work. – Co2 Nov 23 '15 at 02:24
  • 4
    ... and stop using `mysql_` (especially since you are running PHP 5.5). Use [mysqli](http://stackoverflow.com/q/26476162/3899908) or PDO instead. – worldofjr Nov 23 '15 at 02:24
  • Yes i'd like the php script to verify the user before going to the next page when the user is verified. – Co2 Nov 23 '15 at 02:24
  • your form target is _incident-form.php_, is script above _incident-form.php_? – David Nov 23 '15 at 02:27
  • @Co2, try _Logan Wayne's answer_ and try to read about [this SO question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – RockMyAlgorithm Nov 23 '15 at 02:35

3 Answers3

5

Change your action tag first.

<form action="" method="POST"> <!-- MEANS THAT PAGE WILL SUBMIT ON SELF FIRST -->

Your if condition inside your while loop should be:

if ($row['password'] == $password){

Then use header() to redirect user to incident-form.php if login is successful.

header("LOCATION:incident-form.php"); /* PUT THIS INSIDE YOUR IF CONDITION */

At least use *_real_escape_string() to prevent SQL injection.

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

But still, use mysqli_* rather than the deprecated mysql_* API.

Community
  • 1
  • 1
Logan Wayne
  • 6,001
  • 16
  • 31
  • 49
1

PHP doesn't work like that, the server processes on a request sent. You will have to either move your code to the top of the incident-form.php and only show that content when it logs in or you will have to put this code on an page in-between, point the form there and use header functions to redirect or you would have to build a javascript call to the to the code and block the submit based on the result.

To expand a on a solution for you. You will need three pages

  1. Your form which points to login-redirect.php

  2. The login page which contains the following code

    $connect = mysqli_connect("localhost", "root", "", "aid");
if (isset($_POST['submit'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $query = "SELECT * FROM users";
    $result = mysqli_query($connect, $query);
    while($row = mysqli_fetch_assoc($result)) {
        if ($row['username'] == $username && $row['password'] == $password) {
            header("Location: incedent-form.php");
        } else{
            header("Location: login-form.php");
        }
    }
} else {
    header("Location: login-form.php");
}
    1. The incident-form.php
dops
  • 800
  • 9
  • 17
0

Try this also don't give the user a hint of what is wrong with the login also use the redirect function HERE IS THE CODE: 

if (!function_exists('redirect_to')) {
   function redirect_to($new_location) {
      header("Location: " . $new_location);
      exit;
   } 
}
<?php
$connect = mysqli_connect("localhost", "root", "", "aid");
if (isset($_POST['submit'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $query = "SELECT * FROM users";
    $result = mysqli_query($connect, $query);
    while($row = mysqli_fetch_assoc($result)) {
            if ($row['username'] == $username && $row['password'] == $password) {
                echo "Successfully logged in!";
                redirect_to("dashboard.php");
            } else{
                echo "Login Is wrong";
            }
        }
    } else{
        echo "Username/Password not found";
    }
    }
}
?>
lyndact
  • 1
  • 3
  • 23
  • 1
    and also put your php above the html – lyndact Nov 23 '15 at 02:29
  • Thanks very much, it works now but only if I take out the action to go to the next page. But I kinda need it to go to the next page after login. Now it just stays on the login page :/ – Co2 Nov 23 '15 at 02:36
  • depending on where the OP uses it, the security logic is correct, considering only users within a company are able to log in (where usernames are standard). If higher security is required then hinting should be removed. – davejal Nov 23 '15 at 02:37
  • @Co2i added the redirect function in the answer – lyndact Nov 23 '15 at 04:03