Every entered username and password works in PHP login

Question

I have a problem in my php code. I want to make login system which takes username and password from database. I almost made everything work. But there is one problem.. When you enter name and password/ doesn't matter what, even random/ it logs me in and redirects me to the place i want. How to fix that and make it use only right username and password from database ? I will import my login code file here. Thanks in advance, sorry for my English.

    <?php

include 'dbh.php';

$uid = $_POST['uid'];
$pwd = $_POST['uid'];

$query = "SELECT * FROM user WHERE uid='$uid' AND pwd='$pwd'";
$result = mysqli_query($conn, $query);

if ($result = mysqli_query($conn, $query))
{
     while ($row = mysqli_fetch_assoc($result))
     {
          printf("Login success\n");
     }

    // If the while loop fails, password/username combo was incorrect
    printf("Login failed - Invalid username or password.");
} else {
     printf("Login failed, could not query the database.\n");
}


header("Location: panel.php");

?>    

Answer 1

Use mysqli_num_rows

$sql="SELECT * FROM user WHERE uid='$uid' AND pwd='$pwd'";

if ($result=mysqli_query($con,$sql))
  {
     if (mysqli_num_rows($result)!=0) { 
        printf("Login success\n");
     }else{
        printf("Login failed - Invalid username or password.");
    }
     mysqli_free_result($result);
  }

Answer 2

First of all, you are WIDE OPEN to SQL Injection, you will want to update that. Its covered in tons of other places, look it up.

But to fix your issue, You are redirecting regardless of your checks. Move this to your while loop:

while ($row = mysqli_fetch_assoc($result))
 {
      printf("Login success\n");
      header("Location: panel.php");
 }

Having that at the bottom means it gets fired no matter what.

Answer 3

Try this

<?php 

    function Db(){
        $host     = "localhost";   // your db settings
        $username = "yourusername";
        $password = "yourpass";
        $db       = "users";

        $conn = new mysqli($host, $username, $password, $db); 
        // use mysqli instead mysql_connect, it is outdated I guess

        if(!$conn){
            die("Could not connect");
        }
    }

    if(isset($_POST['login'])){

        $uid = trim($_POST['username']);
        $pwd = trim($_POST['password']);

        if($uid  == ""){
            $err[] = "Username is missing.";
        }elseif($pwd == ""){
            $err[] = "Password is missing.";
        }else{  // When validation succeed then make query.
            $db  = Db();
            $uid = $db->real_escape_string($uid); // escape strings from mysql injection
            $pwd = $db->real_escape_string($pwd);
            $sql = "SELECT * FROM users 
                    WHERE  username  = '$uid' 
                    AND    password  = '$pwd'";
            $result = $db->query($sql);

            if($result->num_rows == 1){
                header("location:panel.php"); // login succeed
            }else{
                $err[] = "Username or password are incorrect";
                header("location:login.php"); // login failed
            }
        }

    }
    ?>

    <?php
        if(isset($err)):
            foreach($err as $loginErr):
                echo $loginErr;  // Print login errors.
            endforeach;
        endif;
    ?>


    <!-- HTML login form goes here -->