stackoom
  简体   繁体   中英

PHP login works with wrong username and password

 原文  2016-08-31 17:23:34       php/ mysql/ login

Question

I'm having a very annoying problem with a very simple PHP login script. The problem is that the login works even with wrong username and/or password. I'm running it in XAMPP 7.0.8 for Linux. By the way, the table "users" of the database "login" has only one row.

I've been trying to understand how these kind of scripts work, so I tried with the most basic kind of login I could. But it keeps being a mystery to me, by now I've never could make it work it out.

Here is the PHP part: 

<?php

    session_start();

    if(isset($_POST['login'])) {


        $db = mysqli_connect("localhost", "root", "", "login");

        $username = strip_tags($_POST['username']);
        $password = strip_tags($_POST['password']);

        $username = stripcslashes($username);
        $password = stripcslashes($password);

        $username = mysqli_real_escape_string($username);
        $password = mysqli_real_escape_string($password);

        $sql = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
        $query = mysqli_query($db, $sql);
        $row = mysqli_fetch_array($query);
        $id = $row['id'];
        $db_password = $row['password'];

        if($password == $db_password){
            $_SESSION['username'] = $username;
            $_SESSION['id'] = $id;
            header("Location: index.php");
        } else {
            echo "Error: the information is not correct.";
        }


    }
?>

And here the HTML form: 

<!DOCTYPE html>
    <html lang="es">
    <head>
        <meta charset="UTF-8">
        <title>Client's area</title>
    </head>
    <body>
            <form method="post" action="">
                    <input type="text" name="username">
                    <input type="password" name="password">
                    <input class="login" type="submit" name="login" value="Login">
            </form>
    </body>
    </html>

Edit : the idea of this post was never trying to make a secure login script, it was intended to understand some PHP features. I recognize it's not safe to use any part of this code for an actual login project.

2 answers

solution1
 0  2016-08-31 17:35:13

The problem is you are setting the $row variable directly even if it fails. This sets the $db_password to '' and the password should be ''. Hence it passes.

change the $row command to this 

if ($row = mysqli_fetc_array($query) {

and add a } to the 3rd line from the bottom (the blank spot) and add your 'failure message' there as well

solution2
 0 ACCPTED  2016-08-31 19:10:06

You can use a simple query 

$sql = "SELECT * FROM users WHERE username = '$username' and password= '$password'";
 $query = mysqli_query($db, $sql);
if(mysqli_num_rows($query) > 0)
{
  //Records matched process further
  $_SESSION['username'] = $username;
  $_SESSION['id'] = $id;
  header("Location: index.php");
  exit();
 } else {
   //Record not found throw error
   echo "Error: the information is not correct.";
 }

Hope this helps

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Php login error password or username wrong PHP Session Login return wrong username and password Every entered username and password works in PHP login PHP login with wrong password still works PHP Login with Username/Password PHP login script redirects even when wrong username and password are provided PHP Login Script always prints “wrong username or password” Username/Password Login Trouble with PHP Login success when giving wrong username and password Adding toast in login when password or username is wrong
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM