0

I'm making a PHP login and it was working before, but I tried to make the username feature case insensitive and the code hasn't worked since. I deleted all of the stuff I added to try and make it case insensitive i.e.strtolower().All that displays on the page is "Please enter a username and password." but I have an html file that is supposed to pop up and dispay the login. Here is the code (I took out the personal database info in the mysql connect area):

<?php

session_start();

$username = $_POST["username"];
$password = $_POST["password"];

if ($username&&$password)
{
    $connect = mysql_connect("","","") or die("No Database");
    mysql_select_db("") or die("Couldn't find database");

    $query = mysql_query("SELECT * FROM login WHERE     username='$username'");

$numrows = mysql_num_rows($query);

if($numrows !=0)

{
    while ($row = mysql_fetch_assoc($query))
    {
        $dbusername = $row['username'];
        $dbpassword = $row['password'];
    }
    if ($username==$dbusername&&$password==$dbpassword)
    {
        echo "Login succesful. <a href='/memberarea.php'>Members</a>";
        $_session['username']=$dbusername;

    }
    else
        echo "Incorrect Password";
}

else
    die("Username does not exist");
}
else
    die("Please enter a username and password.");

?>
Abu Ren
  • 3
  • 3
  • You are wide open to [**SQL injection**](https://www.owasp.org/index.php/SQL_Injection). Also, put some spaces in your code. `$username&&$password` is incredibly difficult to read. – elixenide Apr 18 '16 at 03:00
  • Do you see an error that would put this on the page only? http://prntscr.com/atldqb – Abu Ren Apr 18 '16 at 03:08
  • You also need to post the page before this one that accepts the username and password, as it would appear there is an error there in that it doesn't set the `$_POST` parameters. (Oh, and storing username in a session cookie is a *very* bad idea!) – Ken Y-N Apr 18 '16 at 03:22
  • @Abu Ren Please put {} blocks for `else` too. If you are a beginner start learning mysqli or PDO extensions. Please try echoing the username and password when the it is posted. Try debugging through the conditions. – VipindasKS Apr 18 '16 at 03:22
  • Here is the code for the page that accepts the username and password: http://prntscr.com/atlj6t – Abu Ren Apr 18 '16 at 03:31
  • @AbuRen That's not a very useful screenshot; it doesn't reveal much. As Ken Y-N said, post the code for your form. But (1) post the *code*, not a screenshot of the code; (2) be sure it's a [mcve]; and (3) please [don't use `mysql_*`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php?rq=1); the `mysql_*` functions are outdated, [deprecated](http://us3.php.net/manual/en/intro.mysql.php), and insecure. Use [`MySQLi`](http://us3.php.net/manual/en/book.mysqli.php) or [`PDO`](http://us3.php.net/manual/en/intro.pdo.php) instead. – elixenide Apr 18 '16 at 03:51
  • Also, pay attention to the red lines in your editor. It looks like your IDE is telling you that you have a file name wrong. – elixenide Apr 18 '16 at 03:52

1 Answers1

0

I have put mysql_real_escape_string() around your post values to prevent sql injection

Also mysqli is the latest way to connect to mysql database but i have not added that to your code:

session_start();

$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

if ($username&&$password)
{
    $connect = mysql_connect("","","") or die("No Database");
    mysql_select_db("") or die("Couldn't find database");

    $query = mysql_query("SELECT * FROM login");

    while ($row = mysql_fetch_assoc($query))
    {
        $dbusername = $row['username'];
        $dbpassword = $row['password'];

    if ($username == $dbusername && $password == $dbpassword)
    {
        echo "Login succesful. <a href='/memberarea.php'>Members</a>";
        $_session['username']=$dbusername;

    }
    }

    else {
        echo "Incorrect Password";
    }
}
  • Why did you use the query without where clause?If you have 1000 data & your match will be the last one, this "while" loop will perform 999 times which is useless. – Dipanwita Kundu Apr 18 '16 at 05:34