stackoom
  简体   繁体   中英

Compare username and password during login using PHP

 原文  2012-09-26 08:07:59       php/ cakephp

Question

Suppose that I have PHP code as below: 

<form action="index.php" method="post" id="myform">
     <tr>
        <td>User Name </td>
        <td><input type="text" name="text_username" placeholder="your username here" class="validate[required]"/></td>
     </tr>
      <tr>
        <td>Pass Word </td>
        <td><input type="password" name="text_password" placeholder="your password here" class="validate[required]" /></td>
     </tr>
     <?php 
            $userPass = array();
            $userName = array();
            $userID = array();
            include ('include/connectdb.php');
            if(isset($_POST['tbn_submit'])){
                $query = mysql_query("SELECT * FROM tblusers");
                $username = $_POST['text_username'];
                $password = $_POST['text_password'];

                 while($value= mysql_fetch_array($query)){ 
                            $userPass = $value['user_password'];
                            $userName = $value['user_username'];
                            $userID = $value['user_id'];
                                if($username == $userName && $password == $userPass){
                                     header("location:DataInfo.php?uid=".$userID);
                                   }
                                 else if($username != $userName && $password == $userPass) {
                                    echo'<tr><td colspan="2"><center><b style="color:red;">Invalide username or password, please check again!   </b></center></td></tr>';             
                                    }
                }
             }      
    ?>
     <tr>
        <td></td>
        <td><input type="submit" name="tbn_submit" class="btn btn-success" value="Login"/><input type="reset" class="btn btn-warning" value="Cancel"/></td>
     </tr>
     </form>

The Problems:

When I use wrong username and password it shows me the repeat messages Invalide username or password, please check again! so many time I do not want like this.How do I fix this.Anyone help me please, Thanks

5 answers

solution1
 1  2012-09-26 08:13:02

This is so wrong, First,

Why do you check for password and login match IN php ? You can just make a query like : 

SELECT * FROM tblusers WHERE username = *username* AND password = *password*

If the query return a result, the user can be logged in, else, error message.

Then, The problem with your code is that you compare all the user database with a login and a password. If the pass/login match, you redirect the user to another page, but else, you display an error message. THE PROBLEM IS THAT THE SCRIPT DON'T STOP WHEN IT DOESN'T MATCH !

so each time username / pass are false, it'll display an error message, and for each column of your user database.

If you get this working, i suggest you to use sha1 so people can't read passwords in plain text ...

Just store the passwords with sha1($password) and compare them with sha1() .

solution2
 1  2012-09-26 08:13:23

You problem is probably your query: 

mysql_query("SELECT * FROM tblusers");

You are selecting ALL users from the table and then iterating over them. Instead you wanna select by username and then compare password: 

mysql_query("SELECT * FROM tblusers WHERE user_username = ".$_POST['text_username']);

You will probably want to add password to that query as well.

Of course this is wide open to security problems and problems and what not and you should probably look into PDO and MySQLi instead.

As a last note, it is always good to do passwords the right way in PHP: How do you use bcrypt for hashing passwords in PHP?

solution3
 1  2012-09-26 08:14:33

In your code you query for all known users, and chek for each, if username and password are equal. This is unnecessary slow, there is no need to get all users from the database, just search for the user with the given username.

It's not a good idea to store the password plain text in the database, you should use a hash function like BCrypt and store only the hashed password in the database.

Then i would recommend to switch to mysqli or PDO, instead of the mysql_* functions. The mysql functions are deprecated.

solution4
 1 ACCPTED  2012-09-26 08:21:55

The output that you are getting obvious from your code. What you are doing are:

  1. Fetching all records from user table (tblusers)

    mysql_query("SELECT * FROM tblusers");

  2. Then you are looping each record

    while($value= mysql_fetch_array($query))

So, if table tblusers has 1000 records, you will get the message 1000 times.

You should rewrite it to something like: 

include ('include/connectdb.php');
if(isset($_POST['tbn_submit'])){
  $username = $_POST['text_username'];
  $password = $_POST['text_password'];
  $query = mysql_query("SELECT * FROM tblusers WHERE username = $userName AND password = $userPass");

  if(mysql_num_rows($query)){
    $user = mysql_fetch_assoc($query)
    header("location:DataInfo.php?uid=".$user['user_id']);
  } else {
    echo '<tr><td colspan="2"><center><b style="color:red;">Invalide username or password, please check again!   </b></center></td></tr>';             
  }
}

Please note following issues:

  • Variables $userName and $userPass are not escaped here, please do that in your code. You can look at here . Otherwise you may be putting yourself in risk!
  • You need to fix the markup in else { } block.
  • There are other improvements possible in the shown code/logic. I just gave you the idea!
  • Also looks time, you've stored plain text password in your database which you must not! At least use mysql's native password() function!

solution5
 0  2014-06-22 11:12:37

<html>

<h1 align="center">LOGIN PAGE</h1>
<br>
<?php
if(isset($_POST['submit']))
{
$uname=$_POST['$uname'];
$pname=$_POST['$pname'];
echo $uname;
}
?>
<body>
<form action="nexts.php" method="GET">
<table border=1 align=center>
<tr>
<th>USERNAME<th>
<input type="text" name="uname">
</tr>
<tr>
<th>PASSWORD<th>
<input type="password" name="pname">
<br>
<input type="submit" name="submit" value="submit">
</tr>
</html>`<html>

<h1 align="center">LOGIN PAGE</h1>
<br>
<?php
if(isset($_POST['submit']))
{
$uname=$_POST['$uname'];
$pname=$_POST['$pname'];
echo $uname;
}
?>
<body>
<form action="nexts.php" method="GET">
<table border=1 align=center>
<tr>
<th>USERNAME<th>
<input type="text" name="uname">
</tr>
<tr>
<th>PASSWORD<th>
<input type="password" name="pname">
<br>
<input type="submit" name="submit" value="submit">
</tr>
</html>

------------------------------------------------

nexts.php
----------------------------

<?php
include_once('connections.php');
?>

<?php

if(isset($_GET['submit']))
{

$uname = $_GET['uname'];
$pname = $_GET['pname'];


$query = mysql_query("SELECT * FROM dayz");
while($value= mysql_fetch_array($query))
{ 
$varuname = $value['uname'];
$varpname = $value['pname'];

if($varuname == $uname && $varpname == $pname)
{
echo "login successful";
}
else if($varuname != $uname && $varpname == $pname) 
{
echo "Invalide username or password, please check again!";             
}
}
}     

?>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Php login “Invalid username and password” using mysql login into website using the username and password in php curl PHP Login with Username/Password Username/Password Login Trouble with PHP Use array in PHP to compare username/password Every entered username and password works in PHP login Php login error password or username wrong PHP Session Login return wrong username and password PHP ftp_login() not accepting username and password PHP PDO login Username and Password not found
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM