1

Recently I've been trying to set up my first login page, and I set it up correctly on my localhost (XAMPP) But when I uploaded everything to my cpanel (including setting up a database into phpmyadmin) whenever I go to my index(.php) and click on my login page (login.php) it returns this error on a blank page: "failed to connect!" Here is the contents of my "login.php" file, if that even helps. Any help is appreciated! | EDIT: the error is occurring on my website "https://nexium.cc", I'm using namecheap hosting :)
the error happens on this page: "https://nexium.cc/login.php" from the main page: "https://nexium.cc/index.php"

<?php 

session_start();

    include("connection.php");
    include("functions.php");


    if($_SERVER['REQUEST_METHOD'] == "POST")
    {
        //something was posted
        $user_name = $_POST['user_name'];
        $password = $_POST['password'];

        if(!empty($user_name) && !empty($password) && !is_numeric($user_name))
        {

            //read from database
            $query = "select * from users where user_name = '$user_name' limit 1";
            $result = mysqli_query($con, $query);

            if($result)
            {
                if($result && mysqli_num_rows($result) > 0)
                {

                    $user_data = mysqli_fetch_assoc($result);
                    
                    if($user_data['password'] === $password)
                    {

                        $_SESSION['user_id'] = $user_data['user_id'];
                        header("Location: index.php");
                        die;
                    }
                }
            }
            
            echo "wrong username or password!";
        }else
        {
            echo "wrong username or password!";
        }
    }

?>


<!DOCTYPE html>
<html>
<head>
    <title>Nexium/Login</title>
</head>
<body>

    <style type="text/css">
    body{
    
    font-family: Monaco, "Lucida Console", monospace;
    font-weight: normal;
    width: 100;
    background-image: url('bg.jpg');
    background-repeat: no-repeat;
    background-color: black;
    background-size: cover;
    background-position: center;
    min-height: 100vh;
}

.ui-home{
    
    margin-top: 10px;
    text-align: center;
    list-style-type: none;
    font-family: Monaco, "Lucida Console", monospace;
    font-weight: normal;
    font-style: bold;
    margin-left: -35px;
}

.ui-home:hover{
    color: #fb00ff;
    font-style: bold;
    text-transform: uppercase;
    text-transform: none;
} 


#box {
    text-align:center;
    padding-top: 390px;
}

.signup-bottom:hover{
    color: #551a8b;
    
}

.signup-bottom{
    color: white;
}

#button{
    color:#551a8b;
}


#text{
    border-radius: 5px;
    height:20px;
    
}
    </style>

    <div id="box">
        
        <form method="post">
            <div style="font-size: 30px;margin: 10px;color: white;">Login</div>

            <input id="text" type="text" name="user_name"><br><br>
            <input id="text" type="password" name="password"><br><br>

            <input id="button" type="submit" value="Login"><br><br>

            <a class="signup-bottom" href="signup.php">Click to Signup</a><br><br>
        </form>
    </div>
</body>
</html>```
M. Eriksson
  • 13,450
  • 4
  • 29
  • 40
vys
  • 17
  • 5
  • 1
    You don't actually show the connection in your code block. You updated your `mysqli_connect` call with your new correct parameters right? I'm assuming that's in "connection.php". Also *insert obligatory SQL injection warning here*. – Liftoff Jun 27 '21 at 07:32
  • I'm really new to php and backend, could you elaborate? I'm sorry if it's annoying dealing with new "web developers" – vys Jun 27 '21 at 07:34
  • I'm assuming your mysqli_connect call is in your connection.php file. Your server host, username, password, and db could be different from your local test machine. Did you update those details after uploading to your server or are they *exactly* the same? Otherwise you'll get a failed connection. And SQL injection is definitely possible with unprepared statements. Just give that a google and a read. If this website is for the public you definitely want to adopt prepared statements. – Liftoff Jun 27 '21 at 07:36
  • Yes, my mysqli_connect file is in my connection.php file. – vys Jun 27 '21 at 07:39
  • Ohh, here is the contents of the file: – vys Jun 27 '21 at 07:40
  • 2
    In your cpanel you should have your database credentials under your mysql settings. I can't say for sure but would bet the host is not localhost on a namecheap shared host. Other than that, make sure the username, password, and database name match what you see in your cpanel. I also 100% guarantee your username is **not root**. Every shared host I've ever used provides you with a prefixed username (unless this is a VPS and not a shared host, but I doubt that). – Liftoff Jun 27 '21 at 07:44
  • Your dB info is not a security risk since it's running on localhost, no-one can access it anyway. The hosting provider will have blocked external access. But you shouldn't be logging your web application in as root anyway, you should create a specific account in mySQL for the application, which has only the permissions it actually needs in order to run. In fact there may already be one - check the database user settings in CPanel – ADyson Jun 27 '21 at 07:46
  • Share the error .... `if (mysqli_errno($con)) { echo "mysql error is ".mysqli_error($con); }` – Indra Kumar S Jun 27 '21 at 07:47
  • dude holy shit lmao this is all so confusing to me. I'm so used to only html and css and a little bit of python. so in what i've done there's none of this backend stuff to deal with. I'm also kind of an idiot, so all of this makes no sense. – vys Jun 27 '21 at 07:49
  • spoonfeed time >:) – vys Jun 27 '21 at 07:50
  • 3
    Also, before going live, check: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Luuk Jun 27 '21 at 07:50
  • I watched a tutorial on how to do this, but that's about as far as my knowledge goes when it comes to SQL. Imma just wait til I know a bit more before taking this big of a leap. – vys Jun 27 '21 at 07:54
  • 1
    @vys you need to tell your code where the database server is that you are connecting to, how to authenticate yourself to that server and what the name of the database on the database server is (you can have many databases on a server). Originally you had XAMPP which just runs a database server on your local machine (host `localhost`) and with basically no real authentication (user `root` = can do everything, empty password). In your cloud hosting environment this will be different, you have to find the databases section in your cPanel and create a database there and [...] – CherryDT Jun 27 '21 at 07:57
  • 1
    [...] it'll show you in some way how to connect to it. In some environments you get presented a precreated username and password, in some cases you'll have to create your own user and set your own password for it. Also the host may or may not be `localhost`, often shared hosters run separate database servers with a hostname like `db123.somecloudthing.com`. Once you know the correct connection details for your environment (hostname, username, password, and the database name which may again either be preset by the provider or maybe you can set it yourself), you can update them in your code too. – CherryDT Jun 27 '21 at 07:59
  • 3
    @vys: about SQL injection: just bear in mind that the criminals won't wait for you to get comfortable with mitigation. If you go live with those security vulnerabilities wide open, then it's just a matter of time until some criminal's automatic bot discovers your site and its vulnerability and exploits it to install malware on your server and send spam from it, add it to a botnet or serve phishing sites from it, or worse. So it's best to learn and think about that before deploying anything that is publicly accessible. It's OK for learning if you deploy it in a password-protected folder. – CherryDT Jun 27 '21 at 08:04
  • okay, thank you for this advice. I'll take down my login on the website and just go back to having no password protected system. Any way I can learn more about this? Maybe we can talk about this more? Thanks again! – vys Jun 27 '21 at 08:06
  • 1
    See also the article that Luuk linked you to earlier, that has good examples in it. – ADyson Jun 27 '21 at 08:13
  • 1
    Maybe this helps: https://www.acunetix.com/blog/articles/prevent-sql-injection-vulnerabilities-in-php-applications/ (ignore step 7 to run their software, I didn't want to promote it, I just think it's summarizing it well) – CherryDT Jun 27 '21 at 08:14
  • 1
    _SIde note:_ Never ever store passwords in plain text! Use password_hash() and password_verify(). If you're just getting started, I would recommend learning [PDO](https://www.php.net/manual/en/book.pdo.php) over MySQLi, since PDO is not only more powerful, but also easier to learn and use. And when looking for tutorials, make sure they aren't too old and that they use PDO for the database connection, prepared statements instead of injecting variables into the queries directly and password_hash() before storing passwords and password_verify() when validation passwords. – M. Eriksson Jun 27 '21 at 08:55

0 Answers0