1

I've been trying to create a login for my project, but i don't know what i'm doing wrong.

This is what i use to check if the button is pressed:

if(isset($_POST['login'])){
//Get Vars
$username = $_POST['username'];
$password = md5($_POST['password']);
if(login($username, $password)){
  echo 'You have been logged in';
} else {
  echo 'Wrong username and password';
}
}

This is my login function:

function login($username, $password){

$db = new Database();

$query=("SELECT * FROM user
        WHERE username = $username
        AND password = $password");

//Bind Values
$row = $db->select($query);
-----------------------------------------
$count = mysqli_num_rows($row);

//Check Rows
if($count == 1){
   setUserData($row);
  return true;
} else {
  return false;
}
-------------------------------------
I BELIEVE THIS IS THE PART OF THE ERROR
}

And here is my setUserData function:

function setUserData($row){
$_SESSION['is_logged_in'] = true;
$_SESSION['user_id'] = $row['id'];
$_SESSION['username'] = $row['id'];
$_SESSION['name'] = $row['name'];
}

I don't know if i need to start a session for this, and if i need to, where do i put the code.

Also how can i initialize it in the code to check, lets say, if $count works, because when i simply type echo $count, it just says Unidentified variable : count

Nikola Atanasov
  • 605
  • 1
  • 4
  • 11
  • 2
    You really shouldn't use MD5 password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Nov 30 '15 at 20:10
  • 1
    Consult these following links http://php.net/manual/en/mysqli.error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code. You have syntax errors. – Funk Forty Niner Nov 30 '15 at 20:11
  • 4
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Nov 30 '15 at 20:11
  • 1
    you should take a look at PHP Data Objects (PDO). http://php.net/manual/en/book.pdo.php http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059 – tylerlindell Nov 30 '15 at 20:14
  • The database connects fine, and also im not really worried about attacks, as this is a school project. And yes i know its bad practice – Nikola Atanasov Nov 30 '15 at 20:20
  • i dont think `user` is a reserved word, because i used it before and didnt have errors – Nikola Atanasov Nov 30 '15 at 20:21
  • Check this out...it is extremely well built and future proof. You can use it as a reference to the "right" way of doing this. https://github.com/panique/php-login-minimal – VIDesignz Nov 30 '15 at 20:34
  • Oh wow this is extremely usefull, thank you @VIDesignz, i will try and redo it using this code – Nikola Atanasov Nov 30 '15 at 20:58
  • 1
    @showdev `user` is a keyword not a reserved word. There's not `(R)` next to it ;-) unlike `USE (R)` etc. – Funk Forty Niner Nov 30 '15 at 21:24

3 Answers3

3

For education purposes, I will list a referente to rewrite your code:

  1. Sanitize $_POST with filter_input
  2. Store pass as md5 hash it's a security flaw
  3. See session_start and session_regenerate_id
  4. Prefer to use PDO against direct mysql native functions
Ragen Dazs
  • 2,115
  • 3
  • 28
  • 56
2

Well i found my error, its was the form that was making the problems, i forgot to put in method="POST" and action="login.php".

Silly me. Thank you all for helping me.

Nikola Atanasov
  • 605
  • 1
  • 4
  • 11
0

I guess your query should be:

$query=("SELECT * FROM user
    WHERE username = '$username'
    AND password = '$password'");
Gouda Elalfy
  • 6,888
  • 1
  • 26
  • 38