PHP help needed for Login script

Question

When I login with the correct username and password I get an error "Wrong Username or Password" the database connection works and I think there is something wrong with the password + username check.

    <?php
    $host="mysql12-int.cp.hostnet.nl"; // Host name
    $username="u33936_mick"; // username
    $password="//password was correct"; // password
    $db_name="db33936_axe"; // Database name
    $tbl_name="users"; // Table name


    mysql_connect("$host", "$username", "$password");
    mysql_select_db("$db_name");



    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    $sql = 'SELECT * FROM `users` LIMIT 0, 30 WHERE username="$myusername" and        
    password="$mypassword"';
    $result=mysql_query($sql);


    $count=mysql_num_rows($result);



    if($count==1){
      session_register("username");
      session_register("password");
      header("location:index.php");
    } else {
      echo "Wrong Username or Password";
    }
    ?> 

This is my form

     <form name="login" method="post" action="login.php">
                <fieldset id="inputs">
                    <input id="myusername" type="text" name="myusername"    
    placeholder="Username" required="">  
                    <input id="mypassword" type="password" name="mypassword"      
    placeholder="Password" required="">
                </fieldset>
                <fieldset id="login.php">
                    <input type="submit" id="submit" value="Login">
    </style>
                </fieldset>
            </form>

Answer 1

Foremost, I suggest you look in to transitioning away from the deprecated mysql_* family of functions in favor of mysqli ( docs ) or PDO ( docs ), neither of which require any significant change on your part as far as code goes.

As for your specific bug, it appears that you are incorrectly concatenating the values into the query. Also, your WHERE and LIMIT order is incorrect and invalid SQL. Here is the correct form:

$sql = '
    SELECT 
        * 
    FROM 
        `users` 
    WHERE 
        username="'.$myusername.'" AND 
        password="'.$mypassword.'"
    LIMIT 0, 30 
';

It is not clear what advantage you bring by using the LIMIT statement. Either you should have one matching row, or none. If anything, I would use LIMIT 1 . If you got 30 rows back, what would you do with them!?

Converting to PDO is easy! The same query in PDO would look like this:

$host="mysql12-int.cp.hostnet.nl"; // Host name
$username="u33936_mick"; // username
$password="//password was correct"; // password
$db_name="db33936_axe"; // Database name

$pdo = new PDO('mysql:host='.$host.';dbname='.$db_name, $username, $password);
$sth = $pdo->prepare('
        SELECT 
            * 
        FROM 
            `users` 
        WHERE 
            username=:username AND 
            password=:password
        LIMIT 0, 30 
');
$sth->execute(array('username'=>$myusername, 'password'=>$mypassword));
$user = $sth->fetch();

Note that when you use PDO with bound parameters (shown here), you DO NOT have to sanitize with mysql_real_escape_string or addSlashes as you have done in your code.

It is not clear where you are defining $mypassword and $myusername , but if you are using registered globals then you should alter your code. Get the values directly from $_POST . addSlashes is NOT safe, and neither are registered globals.

Documentation

• Deprecation notice for mysql_* functions - http://www.php.net/manual/en/function.mysql-query.php
• PHP String operators - http://php.net/manual/en/language.operators.string.php
• PHP PDO - http://php.net/manual/en/book.pdo.php
• PHP mysqli - http://php.net/manual/en/book.mysqli.php

Answer 2

A few problems:

• You should use $_POST['myusername'] etc. to get the posted variables. If you are relying on register_globals you should turn that off as it is deprecated and poses a security risk;
• The LIMIT clause comes at the end in mysql;
• You should not modify the sent-in information using functions like stripslashes and escape functions, instead you should use prepared statements with bound variables in PDO / mysqli as the mysql_* functions are deprecated and passwords can contain for example slashes.

As a side-note, you should really salt and hash your password, don't store plain text passwords in your database.