PHP/MySQL: Login page isn't working please check

Question

I created this login page that checks whether the entered username and password matches a record in the users table. But whenever I click on the submit button, nothing happens. What is the error? Here is my code:

<?php
session_start();
include 'dbconnect.php';
    if (isset($_POST['submit'])) {
        if (isset($_POST['tsmUsername'])) {
            $username=$_POST['tsmUsername'];
            $_SESSION['tsmUserName']=$username;
            $password=$_POST['tsmPassword'];
        $sql="SELECT * FROM users cust_registration WHERE custName='$username' AND custPass='$password' LIMIT 1";
        $result=mysql_query($dbconnect,$sql);
        if(mysql_num_rows($result)==1)
        {
            echo "You have successfully logged in";

        }
        else{
            echo "Invalid";
        }
        }
    }
?>
<!DOCTYPE html>
<html>
<head>
    <title> THE CAR  PARK</title>
    <centre><div class="a1">
        <h3 style="color:crimson" align="centre"> WELCOME TO THE </h3>      
        </div></centre>
<centre>    <div class="a2">

<h1 style="color:crimson" align="centre"> PARK MARK </h1>

        </div></centre>
<hr>    <br>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Coding Cage - Login & Registration System</title>
<link rel="stylesheet" href="style.css" type="text/css" />

</head>


    <body background="user4.png"  height="auto" width="auto" bgcolor = "#FFFFFF">

<div class="form">
<div class="container">

 <div align="center" id="login-form">
    <form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" autocomplete="off">

     <div class="col-md-12">

         <div class="form-group">
             <h2 style="color:crimson" class="">LOGIN</h2>
            </div>

         <div class="form-group">
             <hr />
            </div>

            <?php
   if ( isset($errMSG) ) {

    ?>
    <div class="form-group">
             <div class="alert alert-<?php echo ($errTyp=="success") ? "success" : $errTyp; ?>">
    <span class="glyphicon glyphicon-info-sign"></span> <?php echo $errMSG; ?>
                </div>
             </div>
                <?php
   }
   ?>



            <div class="form-group">
             <div class="input-group">
                <span class="input-group-addon"><span class="glyphicon glyphicon-user"></span></span>
            <centre><p style="color:crimson">Username</p> <input type="text" name="tsmUsername" class="form-control" placeholder="Enter Name" maxlength="50" value="<?php echo $name ?>" /></centre>
                </div>
                <span class="text-danger"><?php echo $nameError; ?></span>
            </div>

            <div class="form-group">
             <div class="input-group">
                <span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
             <centre><p style="color:crimson">Password</p><input type="password" name="tsmPassword" class="form-control" placeholder="Enter Password" maxlength="15" /></centre>
                </div>
                <span class="text-danger"><?php echo $passError; ?></span>
            </div>

            <div class="form-group">
             <hr />
            </div>

      <tr>      <div class="form-group">
             <centre><button type="submit" class="btn btn-block btn-primary" name="submit">log in</button></centre>
            </div>
     <div class="hd5">

         <button><a href="welcome.php">Back To Home>></a></button>
         <button><a href="cust_register.php">Customer registration</a></button>
        <button><a href="location.php">Location</a></button>
        <button><a href="parking.php">Parking</a></button>
        <button><a href="accounts.php">Accounts</a></button>
            </div>
             <hr />

            </tr>


        </div>

    </form>
    </div> 

</div>
    </div>


</body>

<header>
    <h5 align="right" style=color:antiquewhite>Designed by: john</h5>


  </header>
</html>
<?php ob_end_flush(); ?>

**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make surey ou ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jan 09 '17 at 14:08
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Jan 09 '17 at 14:08
***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jan 09 '17 at 14:09
Add error reporting to the top of your file(s) right after your opening ` — Jay Blanchard, Jan 09 '17 at 14:09
you don't need action="" By default, the form will load the same page — t-n-y, Jan 09 '17 at 14:09
@t-n-y thanks but it still isnt working.. getting this error Warning: mysql_query() expects parameter 2 to be resource, string given in C:\xampp\htdocs\car_park\users.php on line 10 Warning: mysql_num_rows() expects parameter 1 to be resource, null given in C:\xampp\htdocs\car_park\users.php on line 11 — David Adam, Jan 09 '17 at 14:17
table name has space.enter valid table name without space in your sql query — denny, Jan 09 '17 at 14:18
`value=""` you should be getting an undefined variable notice here and `` are invalid tags. They should read as `` respectively, however those tags are deprecated. — Funk Forty Niner, Jan 09 '17 at 14:19
which api are you using to connect with also, `mysql_` right? If other, than that's failing you. — Funk Forty Niner, Jan 09 '17 at 14:20
I don't know, try it. Also this `if(mysql_num_rows($result)==1)` if you have more than one row matching in db and what you're trying to login as, would also fail. So it's best to use `if(mysql_num_rows($result)>0)` - the `==1` is looking if there is only 1 record. — Funk Forty Niner, Jan 09 '17 at 14:21
@Fred-ii- is still not working :/ still getting the warning error — David Adam, Jan 09 '17 at 14:27
I asked earlier which api you used to connect with, is `mysql_` or `mysqli_` or PDO? did you use the right connection credentials? The error I saw in comments suggests that you didn't connect properly. If you assigned a variable to the connection, and if you are using `mysql_` to connect with, then `mysql_query()` would probably need an argument for it. I.e.: `mysql_query($connection)`. In other words, your query failed `mysql_error()` for the connection and the query. — Funk Forty Niner, Jan 09 '17 at 14:30
hold on here, I just noticed this now: `$result=mysql_query($dbconnect,$sql);` you need to invert those `$result=mysql_query($sql, $dbconnect);` the connection in mysql_ comes second, not first. That's if your connection is mysql_. — Funk Forty Niner, Jan 09 '17 at 14:32
@Fred-ii- yea sorry forgot to mention that.. yes i am using mysql_ oh so all i need is to include mysql_query($connection) and thats it? sorry new to php so its a bit confusing. So i have to erase any lines and put this code .. Can u demonstrate the php part plz :/ — David Adam, Jan 09 '17 at 14:32

Funk Forty Niner · Accepted Answer · 2017-01-09T15:14:51.417

Finally, after many comments... (to which I noticed the following):

$result=mysql_query($dbconnect,$sql);

You need to invert those two variables:

$result=mysql_query($sql, $dbconnect);

The connection in mysql_ comes second, not first.

I also won't repeat what's already been said in comments by everyone else, including mine.

Edit:

Here's a quick rewrite in mysqli_ to help you out.

<?php

    error_reporting( ~E_DEPRECATED & ~E_NOTICE ); 

    define('DBHOST', 'localhost'); 
    define('DBUSER', 'root'); 
    define('DBPASS', ''); 
    define('DBNAME', 'car_park'); 
    $conn = mysqli_connect(DBHOST, DBUSER, DBPASS, DBNAME); 

    if ( !$conn ) { die("Connection failed : " . mysqli_error($conn)); }
?>


<?php
session_start();
// place the db connection stuff above inside your dbconnect.php after
// include 'dbconnect.php';
    if (isset($_POST['submit'])) {
        if (!empty($_POST['tsmUsername'])) {
            $username=$_POST['tsmUsername'];
            $_SESSION['tsmUserName']=$username;
            $password=$_POST['tsmPassword'];

        $sql="SELECT * FROM users cust_registration 
              WHERE custName='$username' 
              AND custPass='$password' LIMIT 1";

        $result=mysqli_query($conn,$sql);

        } // brace for if (!empty($_POST['tsmUsername']))

        if($result){
            if(mysqli_num_rows($result)>0)
            {
                echo "You have successfully logged in";

            }
            else{
                echo "Invalid"; 
                }
        } // brace for if($result)
            else {
                echo "The query failed: " . mysqli_error($conn);
            }

  }
?>

But do use a prepared statement for this, your code is open to an SQL injection, and password_hash() as already stated in comments. It only makes good sense, especially in this day and age.

And if you're still wanting to use the mysql_ API:

dbconnect.php:

<?php 

    error_reporting( ~E_DEPRECATED & ~E_NOTICE ); 

    define('DBHOST', 'localhost'); 
    define('DBUSER', 'root'); 
    define('DBPASS', ''); 
    define('DBNAME', 'car_park'); 

    $conn = mysql_connect(DBHOST,DBUSER,DBPASS); 
    $dbcon = mysql_select_db(DBNAME, $conn); 

    if ( !$conn ) { die("Connection failed : " . mysql_error($conn)); } 
    if ( !$dbcon ) { die("Database Connection failed : " . mysql_error($conn)); } 

?>

PHP/MySQL:

<?php
session_start();
// Put the above codes in the dbconnect.php file
include 'dbconnect.php';
    if (isset($_POST['submit'])) {
        if (!empty($_POST['tsmUsername'])) {
            $username=$_POST['tsmUsername'];
            $_SESSION['tsmUserName']=$username;
            $password=$_POST['tsmPassword'];
        $sql="SELECT * FROM users cust_registration 
              WHERE custName='$username' 
              AND custPass='$password' LIMIT 1";

        $result=mysql_query($sql, $conn);

        if($result){
            echo "OK, the query did not fail.";
        }
        else{
            echo "The query failed: " . mysql_error($conn);
        }

        if(mysql_num_rows($result)>0)
        {
            echo "You have successfully logged in";

        }
        else{
            echo "Invalid";
            }
        }
    }
?>

this getting the same issue :( those two warnings.. i tried removing dbconnect and just put $sql with mysql_query and the warning became only 1.. However in both cases i am still getting warnings :/ — David Adam, Jan 09 '17 at 14:37
@DavidAdam what version of php are you using? the exact version. and what is the code you used to connect with? did you choose the right database also? — Funk Forty Niner, Jan 09 '17 at 14:38
`$conn` you used the wrong variable then for the query. You had `$dbconnect` where it should have been `$conn` same for `$dbcon` — Funk Forty Niner, Jan 09 '17 at 14:40
thing is this dbconnect worked for every other page except login — David Adam, Jan 09 '17 at 14:41
Use `$result=mysql_query($sql, $conn);` that should make it kick into high gear — Funk Forty Niner, Jan 09 '17 at 14:41
oh so u mean like this :- $sql="SELECT * FROM users cust_registration WHERE custName='$username' AND custPass='$password' LIMIT 1"; $result=mysql_query($sql, $conn); $dbcon = mysql_select_db(DBNAME, $conn); if(mysql_num_rows($result)==1) { echo "You have successfully logged in"; } else{ echo "Invalid"; } — David Adam, Jan 09 '17 at 14:46
btw thanksa lot for helping. Will surely give u approval once it starts working — David Adam, Jan 09 '17 at 14:47
`$dbcon = mysql_select_db(DBNAME, $conn);` that should be included in the db connection first. Give me a minute, I'll do up a rewrite in `mysqli_` and post it under my answer. Mysql_ shouldn't be used anymore — Funk Forty Niner, Jan 09 '17 at 14:51
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\car_park\users.php on line 12 — David Adam, Jan 09 '17 at 14:54
Reload my answer and look under **Edit:**, best I can for you here and that should work, I can't see it failing. If it did fail, then you will have to check for errors, it's all in there. — Funk Forty Niner, Jan 09 '17 at 14:57
@DavidAdam You're welcome David, glad to have been of help, *cheers* — Funk Forty Niner, Jan 09 '17 at 15:15

score 0 · Answer 2 · answered Jan 09 '17 at 15:01

0

mysql_select_db($dbconnect);
mysql_query($sql);

OR

mysqli_query($dbconnect, $sql);

answered Jan 09 '17 at 15:01

S M Iftakhairul

1,120
2
19
42

PHP/MySQL: Login page isn't working please check

2 Answers2