Login verification with existing database user (PHP)

Question

I'm new to PHP and i'm trying to create a Login system without using template code. The registration form that I connected to the following code completly works and saved users into my database without any problem.

Now, here is my login code. I have created several users to test this out using my registration form. This is what I have in PHP:

<?php

session_start();

include_once('classes/connection.php');

if(isset($_POST['username']))
    {

if(!empty($_POST['username']) && !empty($_POST['password']))
{
    $username = mysqli_real_escape_string($link, $_POST['username']);
    $password = md5(mysqli_real_escape_string($link, $_POST['password']));

     $checklogin = mysqli_query($link, "SELECT * FROM tblusers WHERE username = '".$username."' AND password = '".$password."'");

    if(mysqli_num_rows($checklogin) == 1)
    {
        $row = mysqli_fetch_array($checklogin);
        $username = $row['username'];
        $email = $row['email'];
        $name = $row['name'];
        $surname = $row['surname'];

        $_SESSION['Username'] = $username;
        $_SESSION['Email'] = $email;
        $_SESSION['Name'] = $name;
        $_SESSION['Surname'] = $surname;
        $_SESSION['LoggedIn'] = 1;

        header('location: index.php');
    }
    else
    {
        $feedback= "<p>Your account was not found, please try again.</p>";
    }        
} else 
{   
    $feedback= "<p>Please fill in all the blank areas.</p>";
}
    }

?>

here is the HTML connected to this:

<article>
                <?php if(isset($feedback)): ?> <!-- BEGIN FEEDBACK -->
                    <div id="feedback">
                <?php echo $feedback ?>

                    </div>
                <?php endif; ?>
                <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
                    <h2>Login</h2>

                    <table><tr>
                        <td>Username:</td>
                        <td><input size="10%" id="username" class="form-text" name="username"type="text"/></td></tr>
                    <tr>
                        <td>Password:</td>
                        <td><input size="10%" id="password" class="form-text" name="password" type="password"/></td>
                    </tr>
                    <tr>
                        <td></td>
                        <td><input name="loginknop" type="submit" value="Login" />
                        <a href="register.php">No account? Click here!</a></td>
                    </tr></table>
                </form>
                </article>

To me, this all seems correct and would be able to function. However, every time i test out this login, with for example: USERNAME: TEST and PASSWORD: TEST123 (which is already inside my database, as a potential user), i get my feedback saying: "Your account was not found, please try again."

So my questions being: 1) How can i fix this? i believe my code is correct but i have no idea why it keeps telling me my account does not exist.

2) Suggestions on how to improve or shorten this code are appreciated as well, i'm eager to learn

Answer 1

You just have to add some debug code lines to your php-file, so You can find where the problem is.

For example:

if(!empty($_POST['username']) && !empty($_POST['password']))
{
    echo "You entered: username={$_POST['username']}, password={$_POST['password']}<br>";
    $username = mysqli_real_escape_string($link, $_POST['username']);
    $password = md5(mysqli_real_escape_string($link, $_POST['password']));

    echo "Your username after escaping: {$username}<br>";
    echo "Your password after scaping and MD5: {$password}<br>";

    $checklogin = mysqli_query($link, "SELECT * FROM tblusers WHERE username = '".     
    $username."' AND password = '".$password."'");

    echo "Count of users with the same username and password = " . mysqli_num_rows($checklogin);

    $checkusername = mysqli_query($link, "SELECT * FROM tblusers WHERE username = '". $username."'");
    echo "Count of users with the same username = " . mysqli_num_rows($checkusername);

    $checkpass = mysqli_query($link, "SELECT * FROM tblusers WHERE password = '". $password."'");
    echo "Count of users with the same password md5 = " . mysqli_num_rows($checkpass);


    if(mysqli_num_rows($checklogin) == 1)
    {
        $row = mysqli_fetch_array($checklogin);
        $username = $row['username'];
        $email = $row['email'];
        $name = $row['name'];
        $surname = $row['surname'];

        $_SESSION['Username'] = $username;
        $_SESSION['Email'] = $email;
        $_SESSION['Name'] = $name;
        $_SESSION['Surname'] = $surname;
        $_SESSION['LoggedIn'] = 1;

        //header('location: index.php'); <-- comment it to see debug info
}

After that you can see what is the problem. As I see now it could be:

1. You sending username or password in a wrong POST-variables
2. You storing your username or password in some different format

PS And If it doesn't help you, please, post here output of all this echos, that you have gained after login try!

Answer 2

This line:

$password = md5(mysqli_real_escape_string($link, $_POST['password']));

takes the data you enter into the screen TEST123 and creates an MD5 hash of it. So it is going to look like this:

22b75d6007e06f4a959d1b1d69b4c4bd

So if as you say your database has a

username = 'TEST'
password = "TEST123'

When you do your query

$checklogin = mysqli_query($link, "SELECT * FROM tblusers WHERE username = '$username' AND password = '$password' ");

$password will = 22b75d6007e06f4a959d1b1d69b4c4bd but tabuser.password will = 'TEST123' therefore the row will not be selected!