登录错误密码和用户名组合

Question

<?php
session_start();

$db =mysqli_connect("localhost", "root", "","registration" );
if (isset($_POST['login_btn'])){
    $username = mysql_real_escape_string($_POST ['username']);
    $password = mysql_real_escape_string($_POST ['password']);

    $password= md5($password);
    $sql = "SELECT * FROM users WHERE username= '$username' AND password= '$password'";
    $result = mysqli_query($db, $sql);
if(mysqli_num_rows($result) == 1 ){
$_SESSION['message']= "You are now logged in";
$_SESSION['username'] = $username;

header("Location: home.php");
}else{
    $_SESSION['message'] = "Username and  password combination is incorrect";
}

}
?>

<html>
<head>

</head>
<body>
<div class="header"> <h1>login</h1></div>

<?php
if (isset($_SESSION['message'])){
    echo "<div id = 'error_msg>".$_SESSION['message']."</div>";
    unset($_SESSION['message']);
}
?>

<form method="post" name="loginform" action="login.php">
    <table>
        <tr>
            <td> Username:</td>
            <td><input type = "text" name="username" placeholder="Username" class="textInput"  required></td>
        </tr>

        <tr>
            <td> Password:</td>
            <td><input type = "password" placeholder="Password"  name="password" class="textInput" required></td>
        </tr>

        <tr>
            <td></td>
            <td><input type = "submit" name="login_btn" value="Login"></td>
        </tr>
    </table>
</form>
</body>

</html>

Hi guys, this is my login page with PHP. Apart from logging in it allows passwords which are not the same. According to the code its set to check if the two passwords are matching and if they aren't, it displays an error.

This one doesn't display an error even if the two passwords don't match. Why does it allows a user to log in with wrong passwords??

I want it to display an error when passwords don't match and in return doesn't allow logging in because of wrong credentials.

Answer 1

You are not using mysql_real_escape_string properly. You should use either mysqli_real_escape_string or use mysql_connect to connect to MySQL.

mysql_real_escape_string 's second parameter is assumed automatically if mysql_connect is used, but you are using mysqli_connect instead, that's why it's not finding any connection.

From pph website it states:

The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() had been called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

Reference: http://php.net/manual/en/function.mysql-real-escape-string.php

Try changing

 $username = mysql_real_escape_string($_POST ['username']);
 $password = mysql_real_escape_string($_POST ['password']);

to

$username = mysqli_real_escape_string($db, $_POST ['username']);
$password = mysqli_real_escape_string($db, $_POST ['password']);