Simple PHP SQL Login Troubleshooting

Simple PHP SQL login troubleshooting

Firstly, handling the errors during the development is very important so we check if our post are present, we check if we connected to the database, we check if our query passed and is OK to run, we check the parameters we are giving to the query and we finally execute the query.

After that you can use bind_result to name a variable to receive the fields from your query, like I have done.

Notice how on my query I am using ? that is a prepared statement that we define using the bind_param this is to avoid SQL injection, in your current code, SQL Injection is still possible since you're not sanitizing your variables.

Another mistake I believe you're doing is storing passwords as plain text that is VERY VERY WRONG, you should always encrypt the password to protect your users and yourself. That's why I do not include the password on my MySQL query, I first use only the user, if the user is found I then use the password he posted to match the retrieved password from the database, in this case I am using bcrypt to do the task which is a very secure encryption library.

See here how to use bcrypt.

Only after I see that the password is valid I am then placing the data into the session and redirecting the user.

Besides all the errors I have pointed out at the bottom of my answer, here is how I would write your code.

<?php
session_start();
include_once('bcrypt.php');
// Your database info
$db_host = '';
$db_user = '';
$db_pass = '';
$db_name = '';

if (!isset($_POST['Username']))
{
    echo 'Fill in the username...';
    exit;
}

if (!isset($_POST['Password']))
{
    echo 'Fill in your password...';
    exit;
}

$con = new mysqli($db_host, $db_user, $db_pass, $db_name);
if ($con->connect_error)
{
    die('Connect Error (' . $con->connect_errno . ') ' . $con->connect_error);
}

$sql = "SELECT Username, Password FROM `Members` WHERE Username = ?";
if (!$result = $con->prepare($sql))
{
    die('Query failed: (' . $con->errno . ') ' . $con->error);
}

if (!$result->bind_param('s', $_POST['Username']))
{
    die('Binding parameters failed: (' . $result->errno . ') ' . $result->error);
}

if (!$result->execute())
{
    die('Execute failed: (' . $result->errno . ') ' . $result->error);
}

$result->store_result();
if ($result->num_rows == 0)
{
    die('No username found...');
}

$result->bind_result($db_username, $db_password);
$result->fetch();
$result->close();
$con->close();

$bcrypt = new Bcrypt(15);
if ($bcrypt->verify($password, $db_password))
{
    $_SESSION['Username'] = $db_username;
    header('location:login_success.php');
    exit;
}
else
{
    echo 'Wrong Username or Password';
}

NOTE: The above code is merely an example and was not tested, if you notice any error with it let me know.

Some of the errors I have noticed on the code you have posted:

You're missing the closing ; over here:

$sql = "SELECT * FROM $Members WHERE Username = '$Username' and Password = '$Password'"

Also on your query you have $Members but you have no $Members variable defined anywhere in your code, did you perhaps meant to say Members instead, as in:

$sql = "SELECT * FROM `Members` WHERE Username = '$Username' and Password = '$Password'";

Shouldn't this 

$count = mysql_num_rows($result);

Be

$count = mysqli_num_rows($result);‌

And 

$result=mysqli_query($sql);

Be

$result=mysqli_query($sql_connection, $sql);

You have no query on the below part of the mysqli_query

if (!mysqli_query($sql_connection))

Very Simple PHP + MySql Login Form Not Working?

You are checking for

if(isset($_POST['submit'])){

...but $_POST['submit'] will never be set, because you didn't give any of your form controls a name="submit" attribute.

Change the submit button to this:

<input type='submit' name='submit' value='Login' />

Please also sanitise your database input, preferably by means of parameterised queries.

Simple PHP and MySqli Login Form Not Working

Try the following login script, modify defines as needed, but please, look into PDO/MySQLi prepared statements as specified to prevent sql injection as well as the the built in function password_hash to prevent malicious users seeing the actual password in the database - https://www.php.net/manual/en/function.password-hash.php

<?php

    define('DB_HOST', 'host');
    define('DB_USER', 'pass');
    define('DB_PASS', '');
    define('DB_NAME', 'dbname');

    function redirect_to($location){
        header("Location: $location");
        exit;
    }

    if (isset($_POST['login'])) {

        $customerid = $_POST['customerid'];
        $password = $_POST['password'];

        // processing remember me option and setting cookie with long expiry date
        if (isset($_POST['remember'])) {
            session_set_cookie_params('604800'); //one week (value in seconds)
            session_regenerate_id(true);
        }

        $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
        # check connection
        if ($mysqli->connect_errno) {
            echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
            exit();
        }

        $sql = "SELECT * from users WHERE customer_id ='$customerid' AND password = '$password' LIMIT 1";
        $result = $mysqli->query($sql);
        if (!$result) {
            die($mysqli->error);
        }
        if ($result->num_rows != 1) {
            echo '<script type="text/javascript">';
            echo 'alert("Wrong Customer ID or Password!")';
            echo '</script>';
            echo "<div><h6 align='center' style='color: red;'>Wrong Customer ID or Password!</h6></div>";
        } else {
            // Authenticated, set session variables
            $user = $result->fetch_array();
            $_SESSION['user_id'] = $user['customer_id'];
            $_SESSION['email'] = $user['email'];

            // update status to online
            $sql = "UPDATE users SET log_status= '$timestamp' WHERE customer_id={$_SESSION['user_id']}";
            $result = $mysqli->query($sql);

            redirect_to("dashboard.php?id={$_SESSION['user_id']}");
            // do stuffs
        }
    }
?>

<form method="POST">
    Username<input name="customerid"></input>
    Password<input type="password" name="password"></input>
    <input name="login" type="submit" value="Login" />
</form>

simple login php not working

mysql_query

For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning
resultset, mysql_query() returns a resource on success, or FALSE on
error.

Use mysql_num_rows()

Retrieves the number of rows from a result set.

$result = mysql_query(mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'",$con));
$row = mysql_num_rows($result);
if ($row > 0) {
   header('location:admin.html');

} else {
echo "Login Failed.<a href=index.html>Re Login</a";

}

Note

Mysql is deprecated instead use mysqli or PDO

Don't store plain password into database use hashing technic

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/faq.passwords.php

To prevent from sql injection check How can I prevent SQL injection in PHP??

Simple php and sql login form not working

Interchange the positions of your parameters in your mysql_select_db function bass the name of your database first then pass the connection. You must remember this is a predefined function and it is defined to accept parameters in a certain order therefore it expects that the first parameter passed to the function is going to be the database name.

You should have 

mysql_select_db("formcolumn",$con);

also why not try something along the lines of this:

$sql = "select * from data1_table where username='$username' and password='$password'";
$result = mysql_query($sql,$con);
$row= mysql_fetch_assoc($result);

Simple PHP/MySQL Login script - always failing

Your submit button has the same name as your username field.

<input name="login" type="submit" value="Login">

change it to something else.

Eg:

<input name="loginBtn" type="submit" value="Login">

And also change

if($sql->num_rows > 0)

to

if($result->num_rows > 0)

Related Topics

How to Read Gzip-Ed Response from Stackoverflow API in PHP

Generating a Single Entity from Existing Database Using Symfony2 and Doctrine

How to Get the Subversion Revision Number in PHP

Is It Recommended to Store PHP Sessions in Memcache

Download CSV File Using "Ajax"

Warning: Pdo::_Construct(): [2002] No Such File or Directory (Trying to Connect via Unix:///Tmp/Mysql.Sock) In

Apache Mod Rewrite for Laravel

Update Query with Pdo and MySQL

Getting Actual Value from PHP Simplexml Node

Unique Ips in a Voting System

Decrementing Alphabetical Values

Running Composer Returns: "Could Not Open Input File: Composer.Phar"

PHP - Get Numeric Index of Associative Array

Save PHP Variables to a Text File

How to Convert Word Smart Quotes and Em Dashes in a String

Codeigniter - Using Multiple Databases

How to Parse JSON into a HTML Table Using PHP

Improve Password Hashing with a Random Salt


Leave a reply



Submit