0

I have the following HTML file where the user will enter their username and password and click on the submit button. 

<form Name ="form1" Method ="POST" ACTION = "userlogin.php" id="form1">
    <div id="main_body" class="full-width">
        <label>Username:</label>
        <input type = "text"
               id = "usernameLogin"
               name="pat_username">
        <label>Password:</label>
        <input type = "password"
               id = "passwordLogin"
               name="pat_password">
        <input type="submit" onclick="click_button_login()" value="Login" name="submit" id="submit"/>
    </div>
</form>

The PHP file should they connect to my database and check whether the users details entered are corrent. The database connection is there as I have tested this before. Once the user clicks on the submit button this error appears: Cannot POST /http-services/emulator-webserver/ripple/userapp/x/C/xampp/htdocs/xampp/glove_project_php/www/userlogin.php

<?php
if(isset($_POST["submit"])){
    $servername = "localhost";
    $username = "root";
    $password = "";
    $dbname = "dbname";

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);

    //Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }


    $newUsername = mysqli_real_escape_string($conn, $_POST['pat_username']); 
    $newPassword = mysqli_real_escape_string($conn, $_POST['pat_password']);   

    $result = $conn->query("SELECT * FROM tablename WHERE patient_username ='$newUsername' AND patient_password='$newPassword'");



    if (mysqli_num_rows($result)) {
        header("Location: mainmenu.html");       
    } 
    else
    {    
        header("Location: index.html");

    }
    $conn->close();
}
?>

Is there a different way of calling this PHP file to work on an emulator? This code works perfectly on localhost.

Arend
  • 3,741
  • 2
  • 27
  • 37
user20051996
  • 1
  • 1
  • 4
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – Jay Blanchard Apr 01 '16 at 18:50
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Apr 01 '16 at 18:50

2 Answers2

0

Why are you checking if $_POST["submit"] exists in the $_POST superglobal? I believe you should be checking if the variables you sent are set:

change:

if(isset($_POST["submit"]))

to:

if ((isset($_POST["pat_username"]))&&(isset($_POST["pat_password"])))

and let me know if the error persists.

Webeng
  • 7,050
  • 4
  • 31
  • 59
  • i thought when the form submitted, check the PHP code. i changed that line but i am still receiving the same error :( i have been stuck on this for ages – user20051996 Apr 01 '16 at 20:04
  • @user20051996 I recommend that you do the following: create a new page called "userlogin2.php", change ACTION = "userlogin.php" to ACTION = "userlogin2.php", and then in userLogin2.php put: "; ?> what you have to do now is debug what you have wrong and when you have a whole page full of code that could fail, its easier to test 1 thing at a time. If userlogin2.php fails, then you narrowed down what the problem could be, and if it doesn't fail, you know the problem lies in another part of your code. – Webeng Apr 01 '16 at 20:16
  • where will i put ' "; ?>' ? – user20051996 Apr 01 '16 at 20:18
  • i added that line to userLogin2.php and the same error appeared. this works fine on localhost but on the emulator i am working on the 'cannot post' error appears. – user20051996 Apr 01 '16 at 20:24
  • you are working on an emulator? you mean a website that emulates php for you so that you can practice in a different environment? If that is the case, maybe the emulator site doesn't allow using the $_POST superglobal. I would recommend you use "www.000webhost.com". That site gives you free database access, free webhosting. I only recommend using that site for educational purposes (practicing php/MySQL, etc) since it is completely free and takes about 5 minutes to have your free hosting and domain ready.After you get better, you can get paid hosting somewhere else.Let me know if that fixes it – Webeng Apr 01 '16 at 20:34
0
  Your form, you should working on security and eliminating auto submission, this eliminates auto submission as form contains SESSION_ID() which are unique on web browsing session.

    <Form Name ="form1" Method ="POST" ACTION = "userlogin.php" id="form1">
    <div id="main_body" class="full-width">
        <br>
        <br>                      
                    <label>Username:</label>
                    <input type = "text"
                           id = "usernameLogin"
                           name="pat_username"> <br>

                <br>    <label>Password:</label>
                    <input type = "password"
                           id = "passwordLogin"
                           name="pat_password"> <br><button value="<?php echo session_id() ?>" type="submit" name="login_check">Login</button>

   </div>
   </Form>

//your login check page, there is so much of security risk. Password should be encrypted. Please use SALT, hash/md5/sha for encryption. And also for the query use sprintf as like this its just an example though

  ##SPRINTF EXAMPLE CODE
  //$query = sprintf('SELECT * FROM TABLE WHERE username = "%s" AND password = "%s"',mysql_real_escape_string($username),mysql_real_escape_string($password));

  #### EXAMPLE END HERE##

  <?php
  if(isset($_POST["login_check"]) && $_POST['login_check']==session_id()){
  $servername = "localhost";
  $username = "root";
  $password = "";
  $dbname = "dbname";

  // Create connection
  $conn = new mysqli($servername, $username, $password, $dbname);

  //Check connection
  if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
  }


$newUsername = mysqli_real_escape_string($conn, $_POST['pat_username']); 
$newPassword = mysqli_real_escape_string($conn, $_POST['pat_password']);   

$result = $conn->query("SELECT * FROM tablename WHERE patient_username ='$newUsername' AND patient_password='$newPassword'");



if (mysqli_num_rows($result)) {
    header("Location: mainmenu.html");       
} 
else
{    
    header("Location: index.html");

}
$conn->close();
 }
?>
Ash
  • 27
  • 6
  • hi thank you so much for your help although i am still having the same problem: Cannot POST /http-services/emulator-webserver/ripple/userapp/x/C/xampp/htdocs/xampp/glove_project_php/www/userlogin.php. have you any other advice? this error has been bugging me for weeks and i can't seem to fix it :( – user20051996 Apr 01 '16 at 20:16