Php login page letting anyone log in

Hi,

I am new to PHP and I am wondering why my login page lets anyone log in, no matter what username and password they put in. It’s not checking usernames and passwords in my database first before letting the user sign in…

Have I missed something in my code?

[php]<?php

$output = NULL;

//IF USER SUBMITS FORM

if(isset($_POST['submit'])) {
	$username = $_POST['username'];
	$password = $_POST['password'];
	
	if(empty($username) || empty($password)) {
		
	$output = "Please do not leave any fields blank.";
	} else {
		
		//CONNECT TO DATABASE
		$dbhost = "localhost";
        $dbuser = "secret";
        $dbpass = "secret";
        $dbname = "zb4885_movieclub";

        $conn = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
        
        //test for any database connection errors
        if(mysqli_connect_errno()) {  
            die("Database connection failed: " . mysqli_connect_error() . " (" . mysqli_connect_errno() . ")"
                );
        }
		
		$username = $conn->real_escape_string($username);
		$password = $conn->real_escape_string($password);

        	$query = ("SELECT * FROM user WHERE Username = '$username' AND Password = '$password'")or die(mysql_error());
            
        
        $result = mysqli_query($conn, $query);
		
		///////////
		//Query successful
		 if ($result) {
			 
            session_start();
            $_SESSION['loggedin'] = TRUE;
			$_SESSION['user'] = $username;
			
		 $output = "Welcome " . $_SESSION['user'] . "!" . "<br><br>" . " <a href='addMovieForm.php'>Tell us which movie you want to see </a>" . "or <a href='index.php'> Continue browsing the site</a>" . "<br><br>" . "<button><a href='logout.php'>Log Out</a></button>";

}
else{
//Query Failure
$output = “Wrong username or password. Please try again.”;

 }
    }

}

if(!isset($_SESSION['loggedin'])) {
	
	//DISPLAY WELCOME GUEST/DISPLAY LOG IN FORM
	echo "<p>Please log in to add your favourite movie to our database, or <a href='index.php'>continue browsing.</a><p />";

	?>
	
	<!DOCTYPE html>
    
	<h2>Login</h2>
	<form method="POST">	
	  <p>Username: </p><input type = "text" name = "username" /> 
	  <p>Password: </p><input type = "password" name = "password" />
	  <br><br><br><br>
	  <input type = "submit" name = "submit" value = "Submit"/>
	  
	
	</form>


	</html>
	<?php
} else {
	
	//DISPLAY WELCOME 'USERNAME'/DISPLAY LOG OUT BUTTON
} 
echo $output;

?>
<!DOCTYPE html>
	<head>
        <style>button a{color:#000;}body{font-family:'Dosis', sans-serif;background-color:#D3D3D3;}</style>
	</head>
	</html>

[/php]

There are many problems with this code.

Checking for the name of a button to be submitted will completely fail in certain circumstances. You need to check the REQUEST type.

Do not create variables for nothing

Do not output internal system errors to the user. That information is only useful to hackers.

Do not ever use plain text passwords you need to use password_hash

Do not SELECT *. Specify the column names you want.

You are not using Mysqli correctly. I suggest you use PDO with prepared statements. https://phpdelusions.net/pdo

As to your problem, check what $result contains when you enter a bad username/password. It’s probably not what you think it should be.

I would also suggest put all the HTML on the bottom and the PHP on top (as much as possible). Putting the HTML form in the php is just silly if you ask me. What I do when I first start off is just write the HTML / CSS portion first that way you can get the look you desire. Then throwing in PHP comes second.

Here are the steps I take.

  1. HTML
  2. CSS
    3 PHP Validation of the User’s Data. This makes sure that everything as correct as it can be before going to the database table or what have you.
  3. User Verification (if it’s a login or registration … well basically a HTML Form (user’s input) ;D)
  4. Any Error messages outputted to the user

that is in addition to Kevin’s response.

Sponsor our Newsletter | Privacy Policy | Terms of Service