0

Hello.
This is my CMS login page; login.php:

<?php
$servername = "localhost";
$dbname = "mydbname";
$dbusername = "mydbusername";
$dbpassword = "mydbpassword";

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $dbusername, $dbpassword);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $username = $_POST['username'];
    $password = $_POST['password'];
    $password = md5($password);

    $sql = "SELECT * FROM Users WHERE Username = '$username";
    $result = $conn->query($sql);

    if $password == $result {
        header("Location: admin-area.php");
    }



    $conn->exec($sql);
    }
catch(PDOException $e)
    {
    echo $sql . "<br>" . $e->getMessage();
    }

$conn = null;
?>



<html>
<head>
    <title>Login Page</title>
</head>
<body>
<form action="admin-area.php" method="post">
Username: <input type="text" name="username"><br>
Password : <input type="text" name="password"><br>
<input type="submit" value="submit">
</form>
</body>

But when i type the complete url of login.php page in the browser, i face with a blank page without the login form. Where is the problem?!

5
Contributors
18
Replies
49
Views
2 Years
Discussion Span
Last Post by lps
Featured Replies
  • Important to note: You've got `$result` containing the query results for an entire row that matches the username, not the password. Also, avoid md5() at all costs, you need to be using another encryption method (since md5 is old, outdated and insecure). Loot at the PHP [hash()](http://php.net/manual/en/function.hash.php) function. Read More

  • No, you need parentheses around the condition check, like this: `if ($password == $result) {` Also, I'm not too skilled at security, but I think you're going to want a check to make sure that the POST vars came from your page -- you can do this by adding a … Read More

  • 1

    Modified a little of the codes to work: 1. supporting @Niloofar24's comment on line 18. 2. add in if-else condition to process only the form is posted else just display the form. 3. the comparism `if ($password == $result) {` is used before the query being executed. 4. the queried … Read More

  • 1

    Have you read my comments? he queried result from the 'Users' table will be all columns as you select all in you query, therefore the comparism in `if ($password == $result) {` will have to be reviewed again. You can probably get the result, if the result is not empty, … Read More

  • 1

    Okie, for the problem, as you select all from 'Users' table, so I don't really know the detail structure of your 'Users' table. But you can try use this: if(count($result) > 0) { foreach($result as $row) { print_r($row); } } with this, you are able to see the datas in … Read More

0

Is this if part correct?

 if $password == $result {
header("Location: admin-area.php");
}

I want the scipt to check the hash string of the password that user enters with the hash string of the password that user has insert into table with register form before.

1

Important to note:

You've got $result containing the query results for an entire row that matches the username, not the password.

Also, avoid md5() at all costs, you need to be using another encryption method (since md5 is old, outdated and insecure). Loot at the PHP hash() function.

1

No, you need parentheses around the condition check, like this:

if ($password == $result) {

Also, I'm not too skilled at security, but I think you're going to want a check to make sure that the POST vars came from your page -- you can do this by adding a name to the submit button and a value, then check for that value on submit, like this:

<input type="submit" value="submit" name="submitBtn">

and then, at the top:

if ($_POST['submitBtn'] == 'submit') {


loginFunction(); }

or similar. Also, consider putting your login processing on a separate .php file, called processor.php, for example, and then send then to a separate page once they've logged in, something like this (very pseudo):

<form action="processor.php" etc>
then
processor.php:
check login, password, etc,
if correct:
header("Location:landingpage.php")
if incorrect:
header("Location:loginpage.php?error=badlogin")

Then your login page can have an error GET check at the beginning that can echo out the error and allow them to try again. Remember that, to do this, you're going to have to set a session variable to show they are logged in correctly, otherwise the landingpage won't know who it is and you'll want that page to verify that the person is logged in and hasn't just typed in the right address to enter the member's area. Does that make sense?

When/if you get time, consider switching to OOP in PHP -- I find it much more structured and organized. I'll be back in a bit if you have further questions.

1

Modified a little of the codes to work:
1. supporting @Niloofar24's comment on line 18.
2. add in if-else condition to process only the form is posted else just display the form.
3. the comparism if ($password == $result) { is used before the query being executed.
4. the queried result from the 'Users' table will be all columns as you select all in you query, therefore the comparism in if ($password == $result) { will have to be reviewed.

<?php
if(isset($_POST['submit'])){
    $servername = "localhost";
    $dbname = "mydbname";
    $dbusername = "mydbusername";
    $dbpassword = "mydbpassword";

    try {
        $conn = new PDO("mysql:host=$servername;dbname=$dbname", $dbusername, $dbpassword);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        $username = $_POST['username'];
        $password = $_POST['password'];
        $password = md5($password);

        $sql = "SELECT * FROM Users WHERE Username = '$username";
        $result = $conn->query($sql);

        if ($password == $result) {
            header("Location: admin-area.php");
        }

        $conn->exec($sql);
    } catch(PDOException $e) {
        echo $sql . "<br>" . $e->getMessage();
    }

    $conn = null;
}
?>

<html>
<head>
    <title>Login Page</title>
</head>
<body>
<form action="admin-area.php" method="post">
Username: <input type="text" name="username"><br>
Password : <input type="text" name="password"><br>
<input type="submit" value="submit">
</form>
</body>
0

@lps, i copied your code and pasted it, but there is a problem. If i enter a wrong password, it login into admin-area.php! And if i enter a wrong username, it again enters into admin-area.php!
But it should login only if the username and password both are correct.

Edited by Niloofar24

1

Have you read my comments? he queried result from the 'Users' table will be all columns as you select all in you query, therefore the comparism in if ($password == $result) { will have to be reviewed again.

You can probably get the result, if the result is not empty, compare the password in the result to your $password.

And, please do understand the code and not copied and paste the codes.

Edited by lps

0

Yes you are right, i just copied and pasted the code to see if it works well and the problem is solved, then focuse on the code to understand it well. (And that is because i'm in a hurry to solve this problem and complete the creation of my primary version of CMS today, i know it's not correct.)

Is it possible to help me with this more please? I didn't understand the main problem here, can you please tell me what should i do for this part and make it more clear for me plase? Just need a hint to understand the way. Thank you. (It seems i didn't get the exact problem of the code.)

he queried result from the 'Users' table will be all columns as you select all in you query, therefore the comparism in if ($password == $result) { will have to be reviewed again.

Edited by Niloofar24

1

Okie, for the problem, as you select all from 'Users' table, so I don't really know the detail structure of your 'Users' table. But you can try use this:

if(count($result) > 0) {
    foreach($result as $row) {
        print_r($row); 
    }
}

with this, you are able to see the datas in $row, and the data you need to compared to you $password. From my understanding, probably is the $row['password'] field

Edited by lps

0

The User table has 3 columns, ID, Username and Password.

Well i still need more explanation to understand it well.
These two lines get the password of the $username and put it into $rsult, am i right?! Correct?!

        $sql = "SELECT * FROM Users WHERE Username = '$username";
        $result = $conn->query($sql);

The part you gave me in 5 lines, check to see if the $result value is not empty with count() > 0 correct? And then print the row, will print the password right?

If not please explain your 5 lines code for me, thank you. I want to understand each line exacty and very well.

I thought i should put those 5 lines before my if part and change this if ($password == $result) { to this if ($password == $row) { , but i faced with a blank page. Why? What was the reason.
It seems i didn't understand sql well.

(Thank you for your explanation and answers)

Edited by Niloofar24

1

From you code, SELECT * FROM Users WHERE Username = '$username', it will select all column from you table which are ID, Username and Password. If wish for password only then the query can be change to SELECT Password FROM Users WHERE Username = '$username'

The part if(count($result) > 0) will check if the username entered can select any data from the database, where if it is false, means the username entered is not existed in the 'Users' table.

The foreach is not a mandatory codes that you needed but I am adding that in order for you to see the things selected from the database. But, if you had made sure the username is unique in the database, then you probably will only have to change the if ($password == $result) into if ($password == $row['password']) which means codes will be like:

if(count($result) > 0) {
    if ($password == $row['Password']){
        header("Location: admin-area.php");
    }else{
        echo "Password incorrect!";
    }
}else{
    echo "Username incorrect!";
}

Edited by lps

1

sorry, the $row is not defined in previous attached code:

if(count($result) > 0) {
    foreach($result as $row) {
        if ($password == $row['Password']){
            header("Location: admin-area.php");
        }
    }
    echo "Password incorrect!";
}else{
    echo "Username incorrect!";
}

Edited by lps

0

I understood, so the code must be like this:
(But so why i still face with a blank page?)

<?php
if(isset($_POST['submit'])){
    $servername = "localhost";
    $dbname = "mydbname";
    $dbusername = "mydbusername";
    $dbpassword = "mydbpassword";

    try {
        $conn = new PDO("mysql:host=$servername;dbname=$dbname", $dbusername, $dbpassword);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        $username = $_POST['username'];
        $password = $_POST['password'];
        $password = md5($password);

        $sql = "SELECT Password FROM Users WHERE Username = '$username";
        $result = $conn->query($sql);
    }

        if(count($result) > 0) {
            if ($password == $row['Password']){
                header("Location: admin-area.php");
            }else{
                echo "Password incorrect!";
            }
        }else{
            echo "Username incorrect!";
        }

        $conn->exec($sql);
    } catch(PDOException $e) {
        echo $sql . "<br>" . $e->getMessage();
    }

    $conn = null;
}
?>
<html>
<head>
    <title>Login Page</title>
</head>
<body>
<form action="admin-area.php" method="post">
Username: <input type="text" name="username"><br>
Password : <input type="text" name="password"><br>
<input type="submit" value="submit">
</form>
</body>
1

You forgot the foreach loop, if missing out the loop, the $row will not be posible to be used as it is not defined and not set to any value. Gave up on leading. I will just give a working set I modified based on your code.

<?php
if(isset($_POST['username'])){
    $servername = "localhost";
    $dbname = "test";
    $dbusername = "root";
    $dbpassword = "";
    try {
        $conn = new PDO("mysql:host=$servername;dbname=$dbname", $dbusername, $dbpassword);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $username = $_POST['username'];
        $password = $_POST['password'];
        $password = md5($password);
        $sql = "SELECT Password FROM Users WHERE Username = '$username'";
        $result = $conn->query($sql);

        if ($result->rowCount() > 0){
            foreach($result as $row) {
                if ($password == $row['Password']){
                    echo "Password correct!";
                    //header("Location: admin-area.php");
                }
            }
            echo "Password incorrect!";
        }else{
            echo "Username incorrect!";
        }
    } catch(PDOException $e) {
        echo $sql . "<br>" . $e->getMessage();
    }
    $conn = null;
}
?>
<html>
<head>
    <title>Login Page</title>
</head>
<body>
<form method="post">
Username: <input type="text" name="username"><br>
Password : <input type="text" name="password"><br>
<input type="submit" value="submit">
</form>
</body>

Edited by lps

1

Have you changed the whole part? As you can see, 1st of all, I changed the action in the form so that it posted to own php but not admin-area.php, then I check for if(isset($_POST['username'])) to process only if the field named 'username' is being passed. Then I check if the query having result more than 0 and then check for the password.

0

Yessss!! It works:) Really thank you @lps for all explanation and answer.

The last problem was because of this part:

$servername = "localhost";
$dbname = "mydbname";
$dbusername = "mydbusername";
$dbpassword = "mydbpassword";

Instead of 4 space i set 8 space before each line.

0

Glad that I helped, so please do mark as 'solve' and don't forget to reopen the redirect function that I remarked.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.