stackoom
  简体   繁体   中英

Error in if statement for user login page PHP

 原文  2014-02-27 15:48:21       php/ mysql

Question

I am creating this page for as a login system, the database connects fine, I don't see any errors or get any errors, the problem is when I enter right username and password i get this:

"SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY..."

and when I enter an incorrect username and password I get a blank page. 

<?php
include_once("db_connection.php"); 

$userName = $_POST['user'];
$password =  $_POST['password'];

if($userName == "" || $password == ""){
echo "Fill in both field";
exit;
}

function SignIn(){
session_start();   //starting the session for user profile page
if(!empty($_POST['user']))   //checking the 'user' name which is from Sign-In.html, is it empty or have some text
{
    $query = mysql_query("SELECT * FROM Customer WHERE userName = '$_POST[user]' AND password = '$_POST[password]'") or die(mysql_error());
    $row = mysql_fetch_array($query) or die(mysql_error());
    if(!empty($row['userName']) AND !empty($row['password']))
    {
        $_SESSION['userName'] = $row['password'];
        echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";

    }
    else
    {
        echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
    }
}
}
if(isset($_POST['submit']))
{
SignIn();
}

?>

here is the HTML so everyone can see what I am trying to do: 

<!DOCTYPE HTML>
<html>
<head>
<title>Sign-In</title>
<link rel="stylesheet" type="text/css" href="style-sign.css">
</head>

<body id="body-color">
    <div id="Sign-In">
        <fieldset style="width:30%"><legend>LOG-IN HERE</legend>
            <form method="POST" action="connectivity.php">
                User <br><input type="text" name="user" size="40"><br>
                Password <br><input type="password" name="password" size="40"><br>
                <input id="button" type="submit" name="submit" value="Log-In">
            </form>
        </fieldset>
    </div>
</body>

</html>

5 answers

solution1
 1 ACCPTED  2014-02-27 15:52:45

Try: 

 $query = mysql_query("SELECT * FROM Customer WHERE userName = '{$_POST['user']}' AND password = '{$_POST['password']}'") or die(mysql_error());

Or to be safe: 

 $query = mysql_query("SELECT * FROM Customer WHERE userName = '" . mysql_real_escape_string($_POST['user']) . "' AND password = '" . mysql_real_escape_string($_POST['password'] . "'") or die(mysql_error());

Also i think you might want to use: 

$row = mysql_fetch_assoc($query);

Rather than: 

$row = mysql_fetch_array($query);

solution2
 1  2014-02-27 15:53:52

too many issues in your code,

1: you're wide open for sql injection because you're not sanitizing your variables.

2: you shouldn't still be using mysql_* as they are deprecated.

3: try your query like this: 

mysql_query("SELECT * FROM Customer 
             WHERE userName = '".mysql_real_escape_string($_POST['user'])."' 
             AND password = '".mysql_real_escape_string($_POST['password'])."'");

4: Check your spelling, I spotted ENTERD which should be ENTERED

solution3
 1  2014-02-27 15:54:43

WARNING! WARNING!

Your code is vulnerable to injection. All I have to do is enter the username of my choice, and the password ' or '1 and it will let me in to anyone's account!

Use mysql_real_escape_string to escape the values and make them safe.

ALSO: You appear to be saving passwords as PLAINTEXT strings. This is bad. I mean really, really , really , REALLY bad. I cannot emphasize how monumentally bad this is. See the Hitchhiker's Guide on the size of the universe for an idea.

... Unless you're saving them in an encrypted format, and trying to access them as plaintext. That'll never work, you need to encrypt whatever the user inputs and see if it encrypts to the same thing.

solution4
 0  2014-02-27 15:50:49

Your SQL query string is using the literal value of $_POST[user], you should be concatenating the actual value of that into your String. And actually you should be escaping it to prevent SQL injection since this is posted from a client.

This thread explains injection: How can I prevent SQL injection in PHP?

solution5
 0  2014-02-27 15:53:42

Replace your SQL Statement with this: 

SELECT * FROM Customer WHERE userName = '$userName' AND password = '$password'

That's assuming you don't want to do any sort of sanitizing. If you do, change your first lines to: 

$userName = mysql_real_escape_string($_POST['user']);
$password = mysql_real_escape_string($_POST['password']);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Redirect user to another page after login auth and if statement with PHP PDO PHP if statement use in login page PHP Login Page Error PHP login - detect user type with SQL Statement PHP Swift login page error CakePHP / PHP If Statement User Login Error / Issue - Both conditions are set true? Error in php login Form Using prepared Statement Redirect to the same page after user login PHP PHP multiple user level login page PHP: Returning a user to their original page after login
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM