comparing form input to the database

Question

file.html

<div id="id00" class="login">
    <form class="modal-content animate" action="chat1.php" method="POST">
        <div class="cross">
            <span onclick="document.getElementById('id01').style.display='none'" class="close" title="Close Modal">&times;</span>
        </div>
        <div class="form">
            <label><b>Username</b></label>
            <input type="text" placeholder="Enter Username" name="username" required>
            <label><b>Password</b></label>     
            <input type="password" placeholder="Enter Password" name="password" required>
            <button type="submit">submit</button>
        </div>
    </form>
</div>

chat1.php

<?php
    ob_start();
    $username = "root";
    $password = "";
    $hostname = "localhost";
    $dbname = "login";
    $dbhandle = mysqli_connect($hostname, $username, $password, $dbname) or die("unable to connect to MySQL");
    if(isset($_POST["username"],$_POST["password"]))
    {
        $user = $_POST["username"];
        $pass = $_POST["password"];
        $result1 = mysqli_query("SELECT password FROM login WHERE username = '".$user."'");
        $result2 = mysqli_query("SELECT username FROM login WHERE password = '".$pass."'");
        if($user == $result2 && $pass == $result1)
        {
            $_SESSION["logged_in"] = true;
            $_SESSION["naam"] = $name;
        }
        else
        {
            echo "incorrect username/password";
        }
    }
?>

I need to check the username and password with the datatbase and allow login.In my code its always giving me incorrect. can anyone help me out?

enter code here

Answer 1

Please try this code

 <?php
        session_start();
        $username = "root";
        $password = "";
        $hostname = "localhost";
        $dbname = "login";
        $dbhandle = mysqli_connect($hostname, $username, $password, $dbname) or die("unable to connect to MySQL");
        if(isset($_POST["username"],$_POST["password"]))
        {
            $user = $_POST["username"];
            $pass = $_POST["password"];
            $result1 = mysqli_query("SELECT username, password FROM login WHERE username = '".$user."' and password = '".$pass."'");
            if(mysqli_num_rows($result1))
            { 
                $result = mysqli_fetch_row($result1);
                $_SESSION["logged_in"] = true;
                $_SESSION["naam"] = $result['username'];
$redirect="yoursuccessurl.php";
            }
            else
            {
                $redirect="yourfailureurl.php";
            }
        }

header("location: ".$redirect);
    ?>

Note all these codes are open to sql injection

Answer 2

You never select username from password reason being: many users can have have same password and for security reasons passwords should be hashed and stored.

This line is a bad query.

  $result2 = mysqli_query("SELECT username FROM login WHERE password = '".$pass."'");

What you should do is

 $result1 = mysqli_query("SELECT password FROM login WHERE username = '".$user."'");
if($pass == $result1)
        {
            $_SESSION["logged_in"] = true;
            $_SESSION["naam"] = $name;
        }

comparing form input to the database

Question

file.html

chat1.php

2 answers

solution1
1 ACCPTED 2017-01-31 07:26:25

solution2
0 2017-01-31 07:11:29

comparing form input to the database

Question

file.html

chat1.php

2 answers

solution1 1 ACCPTED 2017-01-31 07:26:25

solution2 0 2017-01-31 07:11:29

solution1
1 ACCPTED 2017-01-31 07:26:25

solution2
0 2017-01-31 07:11:29