Conflict between Login form and Registeration form in the same page

Question

My website has a login form and registration form in one page.

However, the system gets confused and uses both specifically $username and $password for login in and registering when filling up. Wanting to know how to separate and let the system differentiate these inputs. New to developing these

the PHP:

<?php 
    if($_SERVER['REQUEST_METHOD'] == "POST")
    {

        $user_name = $_POST['user_name1'];
        $password = $_POST['password1'];

        if(!empty($user_name) && !empty($password) && !is_numeric($user_name))
        {


            $query = "select * from users where user_name = '$user_name' limit 1";
            $result = mysqli_query($con, $query);

            if($result)
            {
                if($result && mysqli_num_rows($result) > 0)
                {

                    $user_data = mysqli_fetch_assoc($result);
                    
                    if($user_data['password'] === $password)
                    {

                        $_SESSION['user_id'] = $user_data['user_id'];
                        header("Location: index.php");
                        die;
                    }
                }
            }
            
          
            echo "wrong username or password!";
            
        }else
        {
            header("Location: login.php");
            echo "wrong username or password!";
        }
    }

    if($_SERVER['REQUEST_METHOD'] == "POST")
    {

        $user_name = $_POST['user_name'];
        $password = $_POST['password'];
        $f_name = $_POST['f_name'];
        $l_name = $_POST['l_name'];
        $home_add = $_POST['home_add'];
        $email = $_POST['email'];
        $mob_no = $_POST['mob_no'];


        if(!empty($user_name) && !empty($password) && !is_numeric($user_name))
        {

            
            $user_id = random_num(20);
            $query = "insert into users 
(user_id,user_name,password,f_name,l_name,email,home_add,mob_no) 
                     values 
('$user_id','$user_name','$password','$f_name','$l_name','$email','$home_add','$mob_no')";

            mysqli_query($con, $query);

            header("Location: login.php");
            die;
        }else
        {
            echo "Please enter some valid information!";
        }
    }
?>

The Login and Registration form:

 enter code here<div class="c2">
                <div class="Form C">
                    <div class="form-btn">
                        <span>Login</span>
                        <span>Register</span>
 
                    </div>
                    
                    <form method="post" id="Login">
                        <input type="username" name="user_name1" placeholder="Username" >
                        <input type="password" name="password1" placeholder="Password" >
                        <button type="submit"  class="btn">Login</button>
                    </form>
                    
                     <form method="post" id="Reg" >

                        <input type="username" name="user_name" placeholder="Username" >
                        <input type="password" name="password" placeholder="Password" >
                        <input type="firstname" name="f_name" placeholder="Firstname">
                        <input type="lastname" name="l_name" placeholder="Lastname">
                        
                        <input type="email" name="email" placeholder="Email">
                        <input type="Homeaddress" name="home_add" placeholder="Home Address">
                        <input type="Mobileno" name="mob_no" placeholder="Mobile No.">
                       
                        <button type="submit"  class="btn">Register</button>
                    </form>
                </div>
            </div>

Before you go online please read about `how to prevent sql injection in php` — caramba, Oct 11 '22 at 05:25
[What is SQL injection](https://stackoverflow.com/questions/601300/what-is-sql-injection) — DarkBee, Oct 11 '22 at 06:03
"the system gets confused" - then why not use two seperate pages? — Nico Haase, Oct 11 '22 at 08:27
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) — Dharman, Oct 11 '22 at 12:44

score 0 · Answer 1 · answered Oct 11 '22 at 05:35

If you want separate the file of login and registration make another file example is login.php & registration.php and add action to your HTML form action="login.php"

Or you don't want to separate their file make a condition that will identify them if they're login or registration something like this

if($_SERVER['REQUEST_METHOD'] == "POST"){ 
  if(!empty($_POST['username1']) AND !empty($_POST['password1'])  ){
       //login
    }else{
      //registration
    }
 }

Or a hidden input so you can identify the login and registration

Note: Learn the how to prevent sql injection

Arian Sakhaei · Accepted Answer · 2022-10-11T08:26:37.730

We have 2 problems to solve here:

The one you see which is the form submission challenge,
The one you're missing which is securing the Login/Registration process

For the first one you can add name attribute in your html form:

...
<button type="submit" name="login" class="btn">Login</button>
...
<button type="submit" name="register" class="btn">Register</button>
...
<?php
    if($_SERVER['REQUEST_METHOD'] === "POST"){ 
        if (isset($_POST["login"]) {
            // Login
        } elseif (isset($_POST["register"]) {
            // Register
        } else {
            // throw an error page/message
            die(" >>> 400: Bad Request");
        }
    }

And now for the second problem, you need to consider the following:

After form submission, validate user input before going through any process and always use parameterized query. This can help with the attack known as SQL Injection
Secure your form against CSRF Attack, google about it first and then you'll find it easy to implement, I suggest php-csrf

Add session_regeneration_id() before $_SESSION['user_id'] = $user_data['user_id'];, google about Session Hijacking!

Good Luck!

What if the user submits the form by hitting enter and not clicking the button? — Dale, Oct 11 '22 at 08:06
@Dale interesting point! I don't know if it's the best practice but I haven't had a problem using this method so far, I think because there are two different HTML forms, when your filling one and hit enter the submit btn of the form you're filling would work. — Arian Sakhaei, Oct 11 '22 at 08:14
DAMN so helpful and I made it work now as I wanted, just getting stated going to be learning more — MeNeedHelp, Oct 12 '22 at 03:12

Conflict between Login form and Registeration form in the same page

2 Answers2