-2

I'm trying to get a small login page working and connecting to my tbl_Users table on my MySQL database. I have tried my best to set up a code that will check and link the values inputted on the home pages form and link it to the table on my database. But whenever I try to do a false login or a actual login all that get's generated is a blank page and I have no idea where I'm going wrong. Can someone point me in the right direction please.

Home_Page.php

<!DOCTYPE HTML>
<html>
<head>
<title>Please Login</title>
</head>
<body>

<form action="Login.php" method='POST'>
Username: <input type='text' name='username';><br>
Password: <input type='password' name='password'> <br>
<input type='submit' value='Log in'>

</body>
</html>

Login.php 

include ('DatabaseConnect.php')

$username = $_POST['username'];
$password = $_POST['password'];

if ($username&&$password)
{
 $query = mysql_query("SELECT * FROM tbl_Users WHERE User_Name='$username'");

$numrows = mysql_num_rows($query);

if ($numrows != 0)
{


    while ($row = mysql_fetch_array($query))
    {

        $dbusername = $row ['User_Name'];
        $dbpassword = $row ['Password'];

    }

    if ($username==$dbusername&&$password==$dbpassword
    {
        echo ("Welcome");
    }
    else
        echo ("Incorrect Password");



}
else
    die("That user doesn't exist!");



}
 else
    die("Please enter a valid username & password");


?>

Tbl_Users Create Code

CREATE TABLE `tbl_Users` (  
`User_id` int(11) NOT NULL auto_increment,  `First_Name` varchar(32) NOT NULL,  
`Last_Name` varchar(32) NOT NULL,  `Email` varchar(100) NOT NULL,  `User_Name` varchar(100) NOT NULL,  
`Password` varchar(100) NOT NULL,  `User_level` int(11) NOT NULL,  `Tickets_id` int(11) NOT NULL,  
PRIMARY KEY  (`User_id`),  KEY `Tickets_id` (`Tickets_id`),  
CONSTRAINT `tbl_Users_ibfk_1` FOREIGN KEY (`Tickets_id`)
 REFERENCES `tbl_Tickets` (`Tickets_id`)) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1
Henry Green
  • 243
  • 3
  • 4
  • 15
  • And what's the error you get? `Please enter a valid username & password` ? – Daniel Dudas Mar 30 '16 at 16:00
  • I don't even get that. I get a blank page. – Henry Green Mar 30 '16 at 16:02
  • 1
    Looks like there is a semi colon missing after the include. – Oisin Mar 30 '16 at 16:03
  • 1
    Consult these following links http://php.net/manual/en/function.mysql-error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code. Your connection API is also unknown. – Funk Forty Niner Mar 30 '16 at 16:03
  • Stop using the **deprecated and as of PHP7 removed** mysql_* functions. Migrate to PDO and start using Prepared Statements. – Charlotte Dunois Mar 30 '16 at 16:03
  • You're using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php) and are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) against. You're using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and should [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of passwords. – Quentin Mar 30 '16 at 16:03
  • Btw, you're not intending on going live with this, are you? Using `mysql_` with no data escaping / plain text password storage. – Funk Forty Niner Mar 30 '16 at 16:05
  • Indent your control blocks. You don't need `$username==$dbusername` you know that matches up because the SQL wouldn't have returned if it didnt. You need to sanitize data before sending to SQL or preferably use parameterized queries with upto date driver. – chris85 Mar 30 '16 at 16:07
  • 3
    Wow... what's with these answers below?! They don't even "answer/address" the "real" problem. – Funk Forty Niner Mar 30 '16 at 16:08
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Mar 30 '16 at 16:13
  • Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Mar 30 '16 at 16:13
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Mar 30 '16 at 16:13
  • Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Mar 30 '16 at 16:14
  • 1
    I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Mar 30 '16 at 16:42
  • `if ($username&&$password)` is no doubt causing some problems because spacing. – Jay Blanchard Mar 30 '16 at 16:44

2 Answers2

0

MySQL functions are depreciated since PHP 5.5.

You need to use the new and improved MySQLi functions.

http://php.net/manual/en/book.mysqli.php

Also I recommend you check your caught $_POSTs at the start of your PHP script, as this can make your life a lot easier later on, and is good practise:

if(isset($_POST['username']))
{
    $username = $_POST['username'];
}
else{
//Redirect or echo an error message
}

if(isset($_POST['password']))
{
    $password = $_POST['password'];
}
else{
//Redirect or echo an error message
}
Tommy
  • 377
  • 1
  • 9
0

If you are new to PHP you should really use a template or tutorial code for this. Your current solution is vulnerable to SQL injections and stores passwords in plain text which means anyone can get the passwords of all your users with about 2 minutes of effort. A quick google search turned up this which you might find helpful: http://www.html-form-guide.com/php-form/php-login-form.html

Kyle Goodale
  • 131
  • 1
  • 8
  • You're not addressing the *real* problem with their code. – Funk Forty Niner Mar 30 '16 at 16:10
  • Fair enough, but the point of a login system is usually to control access. If OP leaves such a huge vulnerability open he is going to have lots of problems down the road. Better to correct the mistake early or at least make him aware of it. – Kyle Goodale Mar 30 '16 at 16:15
  • The application isn't going live. It's a local application used just to help display data from my database. – Henry Green Mar 30 '16 at 16:19
  • If you find the data valuable enough to protect with a password you still may find it worthwhile to just add mysqli_real_escape_string() to the username and password just so it can't be SQL injected. – Kyle Goodale Mar 30 '16 at 16:27