PHP中的用户名和密码问题

Question

I am trying to create a login form with PHP but it cannot login. I get incorrect password/username instead. I have triple checked the credentials in the database and they are correct. Please help

Here is the code

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Login</title>
<link rel="stylesheet" href="css/style.css" />
</head>
<body>
<?php
     require('db.php');
     session_start();
     // If form submitted, insert values into the database.
     if (isset($_POST['username'])){
         $username = $_POST['username'];
         $password = $_POST['password'];
         $username = stripslashes($username);
         $username = mysqli_real_escape_string($connection,$username);
         $password = stripslashes($password);
         $password = mysqli_real_escape_string($connection,$password);
         //Checking is user existing in the database or not
         $query = "SELECT * FROM `backuser` WHERE username='".$username."' and password='".md5($password)."'";
         $result = $connection->query($query) or die(mysqli_error());
         $rows = mysqli_num_rows($result);
         if($rows==0){
             $_SESSION['username'] = $username;
             header("Location: index.php"); // Redirect user to index.php
         }else{
             echo " <div class='form'><h3>Username/password is incorrect.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
         }
     }else{
?>
<div class="form">
<h1>Log In</h1>
<form action="" method="post" name="login">
<input type="text" name="username" placeholder="Username" required />
<input type="password" name="password" placeholder="Password" required />
<input name="submit" type="submit" value="Login" />
</form>
</div>
<?php } ?>
</body>
</html>

Answer 1

You have an error in your logic. Change if($rows==0) to if($rows!=0) . If the user is in DB, you should have at least 1 record returned and mysqli_num_rows() should return a number >= 1 .

Answer 2

Sarasvati's answer appears to fix your immediate issue, however I would like to also suggest:

• Use PHP Password hashing built in functions (PHP 5.5+ and 5.3) for hashing passwords. MD5 is not cyptographically secure and is not advised for password storage or checking.

• If you are new to PHP it is very very much worth your time exploring using Prepared Statements with your code. This seperates code from user input and so greatly reduces the risk of SQL injection and Database Compromise .

• When you have a header which redirects you should be immediately following this header with an exit statement, as the rest of the PHP code will still be run before the header is followed.

    $_SESSION['username'] = $username; header("Location: index.php"); // Redirect user to index.php exit; 

• Do not use text editing functions such as stripslashes() on password fields, if someone has a slash in their password, it will be stripped and they will not be able to log in. Passwords should be any character, not just az or 0-9 etc.

• For MySQLi_ [procedural] error reporting you need to provide the connection details:

   die(mysqli_error($connection)); 

  otherwise the report will not give you anything.

• PHP session_start() should be before anything is output to the browser, so this needs to be at the very top of your PHP page. ( Thanks to Nitin for this, I missed this originally ) .

Answer 3

The problem is that i had not allocated enough storage(character length) in my database to store the hash value. I adjusted the length value to 30 and it works like a charm.