-3

Why, if I enter a valid username and password, does it work, but when I enter a fake password it doesn't work? Below is my script.

Sign-In.html:

<!DOCTYPE html>
<html lang="">
<head>
<title>LOG-IN</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<link href="../layout/styles/layout.css" rel="stylesheet" type="text/css" media="all">
</head>
<body id="top">
<div class="wrapper row1">
  <header id="header" class="hoc clear"> 
    <h1><a href="../index.html">Melis & Morganti</a></h1>
    <p>Hardware Information</p>
  </header>
</div>
<div class="wrapper row4">
  <nav id="mainav" class="hoc clear"> 
    <ul class="clear">
       <li class="active"><a href="index.html">Home</a></li>
      <li><a class="drop" href="#">ACCOUNT</a>
        <ul>
          <li><a href="Sign-In.html">LOG-IN</a></li>
          <li><a href="registrazione3.html">REGISTER</a></li>
        </ul>
    </ul>
  </nav>
</div>
<div class="wrapper bgded overlay" style="background-image:url('../images/demo/backgrounds/login.jpg');">
  <section id="breadcrumb" class="hoc clear"> 
    <ul>
      <li><a href="#">Home</a></li>
      <li><a href="#">LOG-IN</a></li>
    </ul>
    <h6 class="heading">LOG-IN</h6>
  </section>
</div>
<div class="wrapper row3">
  <main class="hoc container clear"> 
    <div class="content"> 
      <div id="gallery">
        <figure>
          <body id="body-color">
<div id="Sign-In">
<fieldset style="width:30%"><legend>Inserisci i tuoi dati</legend>
<form method="POST" action="connectivity.php">
Utente <br><input type="text" name="user" size="40"><br>
Password <br><input type="password" name="pass" size="40"><br>
<input id="button" type="submit" name="submit" value="Log-In">
</form>
</fieldset>
</div>
</body>
        </figure>
      </div>
    </div>
    <div class="clear"></div>
  </main>
</div>
<div class="wrapper row4">
  <footer id="footer" class="hoc clear"> 
    <div class="one_third first">
      <h6 class="heading">Sede Legale</h6>
      <ul class="nospace btmspace-30 linklist contact">
        <li><i class="fa fa-map-marker"></i>
          <address>
          Via Teano
          </address>
        </li>
        <li><i class="fa fa-phone"></i> +00 0612345678</li>
        <li><i class="fa fa-envelope-o"></i> infohardware@MelisMorganti.com</li>
      </ul>
    </div>
    <div class="one_third">
      <h6 class="heading"> </h6>
      <ul class="nospace linklist">

      </ul>
    </div>
    <div class="one_third">
      <h6 class="heading">Newsgroup</h6>
      <p class="nospace btmspace-30">Ricevi aggiornamenti</p>
      <form method="post" action="#">
        <fieldset>
          <legend>Newsletter:</legend>
          <input class="btmspace-15" type="text" value="" placeholder="Name">
          <input class="btmspace-15" type="text" value="" placeholder="Email">
          <button type="submit" value="submit">INVIO</button>
        </fieldset>
      </form>
    </div>
  </footer>
</div>
<div class="wrapper row5">
  <div id="copyright" class="hoc clear"> 
    <p class="fl_left">Copyright &copy; 2017 - All Rights Reserved - <a href="#">Melis - Morganti: Hardware Information</a></p>
  </div>
</div>
<a id="backtotop" href="#top"><i class="fa fa-chevron-up"></i></a>
<!-- JAVASCRIPTS -->
<script src="layout/scripts/jquery.min.js"></script>
<script src="layout/scripts/jquery.backtotop.js"></script>
<script src="layout/scripts/jquery.mobilemenu.js"></script>
</body>
</html>

And this is the connectivity.php:

<?php 
error_reporting(E_ALL ^ E_DEPRECATED);
define('DB_HOST', 'localhost'); 
define('DB_NAME', 'login'); 
define('DB_USER','root'); 
define('DB_PASSWORD',''); 
$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Impossibile connettersi: " . mysql_error()); 
$db=mysql_select_db(DB_NAME,$con) or die("Impossibile connettersi: " . mysql_error()); 
/* 
$ID = $_POST['user']; 
$Password = $_POST['pass']; 
*/ 
function SignIn() { 
session_start(); 
//starting the session for user profile page 
if(!empty($_POST['user'])) 
{ 
$query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error()); 
$row = mysql_fetch_array($query) or die(mysql_error()); 
if(!empty($row['userName']) AND !empty($row['pass'])) 
{ 
$_SESSION['userName'] = $row['pass']; 
echo "Sei loggato con successo"; 
    echo "<script> window.location.assign('index_success.html'); </script>";
} 
else
{ 
echo "ID o password sbagliata"; 
}
 }
 } 
 if(isset($_POST['submit'])) 
 { 
SignIn(); 

} 
?>

Why doesn't it work? I tried to use header(), but it doesn't work. When I use a real username and password, it works: it shows "Sei loggato con successo" for 0.1 milliseconds and it redirects me to "index_success.html". But when I use a fake username or fake password, it sends me to "connectivity.php" without a message or error. It is blank!

liquide
  • 1,346
  • 3
  • 20
  • 28
Francesco Morganti
  • 3
  • 6
  • 5
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard May 15 '17 at 18:14
  • 5
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 15 '17 at 18:14
  • 5
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 15 '17 at 18:14
  • It is a "localhost", used to learn. I don't use it, it is for school! :D – Francesco Morganti May 15 '17 at 18:15
  • 4
    If you don't have time to do it right the first time, when will you find the time to add it later? I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. – Jay Blanchard May 15 '17 at 18:16
  • Have you checked your error logs? You're making an assumption the query is working. Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard May 15 '17 at 18:16
  • Yes! I Tried. It shows always blank page – Francesco Morganti May 15 '17 at 18:17
  • 1
    Then you must check your error logs. – Jay Blanchard May 15 '17 at 18:18
  • 3
    `'$_POST[user]'` is wrong. It should be `'{$_POST['user']}'`. Same for password. But this code is so insecure your could drive a bread truck through it. – Jay Blanchard May 15 '17 at 18:20
  • it doesn't works when i don't use username, when i don't use password and when i don't use them. So, it doesn't works never! It works only when I use a true username or true password – Francesco Morganti May 15 '17 at 18:21
  • We know that. You don't have to repeat the problem. – Jay Blanchard May 15 '17 at 18:21
  • Tried to change the '$_POST[user]' to '{$_POST['user']}'. It doesn't works same – Francesco Morganti May 15 '17 at 18:23
  • is your `SignIn()` function expected to be executed only if the username and password are correct? if so, you should move it inside the `if` statement which executes for correct username and password. I am convinced it is your sign-in function, echo something right before it and see if it displays on the blank white page. If it does, your code executed as expected until that function. – coderodour May 15 '17 at 18:24
  • 1
    OK. Your query is failing when the password or username is not correct. Therefore `$row` fails because there is no array to be fetched. Your `if` fails at that point because `$row` is not what you expect it to be and causes PHP's WSOD (White Screen of Death). – Jay Blanchard May 15 '17 at 18:26
  • coderodour, could you write me the true full code please? – Francesco Morganti May 15 '17 at 18:26
  • Tried to echo something before SignIn() function. It shows the echo for 0.1 milliseconds and after it starts the SignIn() function – Francesco Morganti May 15 '17 at 18:29
  • 2
    **loved** the `it is for school!` followed by `could you write me the true full code please?` ^^ (getting some pop-corn and laying back into the couch... ^^) – OldPadawan May 15 '17 at 18:38
  • 2
    IM(very)HO, you do right and it complies with SO rules : answer and warnings at once. It's more about your comment `Let's not teach/propagate sloppy and dangerous coding practices` -> should be the **REAL** rule to follow ! the rest is up to you :) you're far more an experienced coder, I'm just a passionate old teacher with few little skills... EDIT: *do or do not, there is no try*, we should help sharing *good and proper* knowlegde, not let crap happen or spread the seeds of bad teaching. It's more than 99% of the time the teacher's fault... – OldPadawan May 15 '17 at 18:46
  • If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* – Jay Blanchard May 15 '17 at 19:03
  • Done! Thank you everyone and sorry for the problem. It was my first problem. Thank you another time – Francesco Morganti May 15 '17 at 19:18

1 Answers1

4

WARNING: Little Bobby says your script is at risk for SQL Injection Attacks.. Even escaping the string is not safe!

DANGER: Please stop using mysql_* functions. These extensions have been removed in PHP 7. Learn about prepared statements for PDO and MySQLi and consider using PDO, it's really pretty easy.

Here is how to fix your problem using the mysql_* API with proper hashing of the password:

<?php 
error_reporting(E_ALL ^ E_DEPRECATED);
define('DB_HOST', 'localhost'); 
define('DB_NAME', 'login'); 
define('DB_USER','root'); 
define('DB_PASSWORD',''); 
$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Impossibile connettersi: " . mysql_error()); 
$db=mysql_select_db(DB_NAME,$con) or die("Impossibile connettersi: " . mysql_error()); 
session_start();

function SignIn($user, $pw) { 
    $user = mysql_real_escape_string($user);
    $query = mysql_query("SELECT * FROM UserName where userName = '{$user}'") or die(mysql_error()); 
    $row = mysql_fetch_array($query) or die(mysql_error()); 
    if(!empty($row))
        {
        if(password_verify($pw, $row['pass'])) 
            { 
                $_SESSION['userName'] = $row['user']; 
                echo "Sei loggato con successo"; 
                echo "<script> window.location.assign('index_success.html'); </script>";
            } 
        else
            { 
                echo "ID o password sbagliata"; 
            }
        }
    else
    {
        echo "There is a problem";
    }
} 

 if(isset($_POST['submit'])) 
    { 
        SignIn($_POST['user'], $_POST['pass']); 
    } 
?>

In this code I have used PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119