Login page is connected to my database but login doesn't recognise the username or password that is stored in the database?

Question

Here is the code for the login part. The problem I beleive is where this line starts ----> if (mysqli_num_rows($result) == 1)

I think that is the start of the problem as the page does not redirect to the other page upon the click.

If anybody has any ideas, that would be greatly appreciated.

<?php 
    session_start();
    ob_start();

    // connect to database
    $db = mysqli_connect("localhost", "root", "", "authentication");
    if (isset($_POST['login_btn'])) {

      $_SESSION['message'] = "";
      $username = mysqli_real_escape_string($db,$_POST['username']);
      $username = $_POST['username'];
      $password = mysqli_real_escape_string($db,$_POST['password']);

      $password = md5($password); // remember we hashed password before storing  last time
      $sql = "SELECT * FROM users WHERE username ='$username' AND password='$password'";
      $result = mysqli_query($db, $sql);

      if (mysqli_num_rows($result) == 1) {

        $_SESSION['username'] = "You are now logged in";
        $_SESSION['password'] = $username;
        session_write_close();

        header("location:register.php"); //redirect to home page
        exit();
      }else{

        $_SESSION['message'] = "Username/password combination incorrect";
      }
    }
?>

MD5 password hashing has been useless for _years_. It's entirely insecure. Don't roll your own password hashing; use [`password_hash()`](https://secure.php.net/manual/en/function.password-hash.php) and [`password_verify()`](https://secure.php.net/manual/en/function.password-verify.php) instead. — ChrisGPT was on strike, Mar 25 '17 at 18:10
you had better post your form for this and btw; you shouldn't be escaping passwords. One such as `123'\abc` is perfectly valid. — Funk Forty Niner, Mar 25 '17 at 18:16
please echo something after if (mysqli_num_rows($result) == 1) { if you get the echo then my answer is correct — Sugumar Venkatesan, Mar 25 '17 at 18:19
@vSugumar *"if you get the echo then my answer is correct"* - it isn't. I can assure you. — Funk Forty Niner, Mar 25 '17 at 18:19
chill dude. No one is arguing. Have patience. Tolerance is good thing to have — Shahbaz A., Mar 25 '17 at 18:21
this question is receiving too much "bad" attention. Check for errors, post your html form like I asked, `var_dump();` and run this off of localhost rather than `file:///` if that's what you're doing. also make sure you did create a valid MD5 password to start with and that the column for it is long enough to hold that "unsafe" hash. there.... that's your homework for today; good luck. — Funk Forty Niner, Mar 25 '17 at 18:22
This is bad. There are lots of errors here. Firstly, why would you use md5?? Also why store errors in a session variable? Also why are you escaping passwords?? That's a feature of a strong password — Rotimi, Mar 25 '17 at 18:27
if your code works please post it we want to know the problem? — Sugumar Venkatesan, Mar 25 '17 at 18:31

Login page is connected to my database but login doesn't recognise the username or password that is stored in the database?

0 Answers0