Login page seems to do nothing on submit

Adamhumbug · March 9, 2017, 10:56pm

HI all,

First post on here so please be gently with me.

I am very new to this language so any help that could be offered in the most basic way with a little explanation of what each bit of code does would be amazing.

I have created a very basic registration form which puts data into my database. I am now wanting to create a log in form that uses that data to ‘log in’

I have followed some online guides and done a bit of research and have created said log in code.

When I fill in the user name and password fields, and click the log in button, the fields empty and ‘nothing’ seems to happen.

I added an [php]or die[/php] to my code and I get the following message.

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘‘user’ WHERE ‘user_name’ = ‘Adam’ and ‘password’ = ‘Hewitt’’ at line 1

I thought initially that it might have something to do with the quotes around certain bits of the code but after plenty of googling, I don’t seem to be able to fall over my answer.

The code that I have for my log in page is as follows.

[php]<?php
include(‘db_conn.php’);
session_start();

if($_SERVER[“REQUEST_METHOD”] == “POST”){
//username and password from log in form
$login_user_name = mysqli_real_escape_string($conn,$_POST[‘login_user_name’]);
$login_password = mysqli_real_escape_string($conn,$_POST[‘login_password’]);

$sql = "SELECT id FROM user WHERE 'user_name' = '$login_user_name' and 'password' = '$login_password'";
$result = mysqli_query($conn,$sql)
	or die("Error: ".mysqli_error($conn));
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$active = $row['active'];

$count = mysqli_num_rows($result);

//if result matched username and password, table row must be 1 row

if($count == 1) {
	$_SESSION['login_user'] = $login_user_name;
	header ("location: loggedin.php");
}else{
	$error = "Your Username or Password is Incorrect";
}
}

?>
[/php]

And this is what I have on my session page (not sure if that is relevant)

[php]<?php
include(‘db_conn.php’);
session_start();

$user_check = $_SESSION[‘login_user’];
$session_sql = mysqli_query($conn,“Select user_name from user where user_name = $user_check”);
$row = mysqli_fetch_array($session_sql,MYSQLI_ASSOC);
$login_session = $row[‘user_name’];

if(!isset($_SESSION[‘login_user’])){
header(“location: index.php”);
}

?>
[/php]

I would appreciate anyone offering suggestions as to where I may have gone wrong.

Thanks in advance

Adam

benanamen · March 9, 2017, 11:41pm

Take the quotes off the column names. Also, you never ever put variables in your query. You need to use prepared statements. NEVER EVER store plaintext passwords. You need to use password_hash and password_verify.

http://php.net/manual/en/function.password-hash.php
http://php.net/manual/en/function.password-verify.php

And stop outputting system errors to the user. That info is only good for programmers and hackers.

Now would be a good time to start using PDO. https://phpdelusions.net/pdo

Adamhumbug · March 10, 2017, 7:32pm

Hi,

Thanks for your reply.

I am aware that there is much I have to learn so thanks for helping me out with some resources.

I have mede the amendment that you suggested to the quotes (will look at the other stuff later)

I am now getting the following errors

Notice: Undefined index: active in /Users/adamhewitt/Sites/first/login.php on line 14
Warning: Cannot modify header information - headers already sent by (output started at /Users/adamhewitt/Sites/first/login.php:14) in /Users/adamhewitt/Sites/first/login.php on line 22

[php]<?php
include(‘db_conn.php’);
session_start();

if($_SERVER[“REQUEST_METHOD”] == “POST”){
//username and password from log in form
$login_user_name = mysqli_real_escape_string($conn,$_POST[‘login_user_name’]);
$login_password = mysqli_real_escape_string($conn,$_POST[‘login_password’]);

$sql = "SELECT id FROM user WHERE user_name = '$login_user_name' and password = '$login_password'";
$result = mysqli_query($conn,$sql)
	or die("Error: ".mysqli_error($conn));
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$active = $row['active'];

$count = mysqli_num_rows($result);

//if result matched username and password, table row must be 1 row

if($count == 1) {
	$_SESSION['login_user'] = $login_user_name;
	header ("location: loggedin.php");
}else{
	$error = "Your Username or Password is Incorrect";
}
}

?>
[/php]
Again any help would be appreciated.

Thanks Again
Adam

benanamen · March 10, 2017, 7:52pm

Move session_start(); to line 2. Turn on error reporting and then tell me what error you get. Your query is failing.

Adamhumbug · March 10, 2017, 8:02pm

Hi Kevin,

Forgive my incompetence here.

I have moved session_start to line 2 above the include and checked my php settings and error reporting Is turned on.

I am still getting the same error that I was getting before on my page

benanamen · March 10, 2017, 8:26pm

You’re off in the wrong direction in the first place. Hash your passwords using password_hash and start with this code.

[php]<?php
require(’…/config.php’);

if ($_SERVER[‘REQUEST_METHOD’] == ‘POST’)
{
//------------------------------------------------------------------------------------
// Validate Form Input
//------------------------------------------------------------------------------------

$error = [];

if (empty($_POST['username']))
    {
    $error['username'] = 'Username Required.';
    }
if (empty($_POST['password']))
    {
    $error['password'] = 'Password Required.';
    }

//------------------------------------------------------------------------------------
// Display Errors
//------------------------------------------------------------------------------------

if (!empty($error))
    {
    // Handle Errors
    }
else
    {
    $sql  = "SELECT username, password FROM users WHERE username = ?";
    $stmt = $pdo->prepare($sql);
    $stmt->execute([
        $_POST['username']
    ]);
    $row = $stmt->fetch(PDO::FETCH_ASSOC);

    // Username didnt match, Redirect.
    if (!$row)
        {
        die(header("Location: {$_SERVER['SCRIPT_NAME']}?failed_login"));
        }

    //--------------------------------------------------------------------------------
    // Compare the password to the expected hash.
    //--------------------------------------------------------------------------------

    // Password is good
    if (password_verify($_POST['password'], $row['password']))
        {
        //----------------------------------------------------------------------------
        // Set Session Variables
        //----------------------------------------------------------------------------

        session_start();

        $_SESSION['user_name']  = $row['user_name'];

        die(header("Location: ./index.php"));
        } // End if password_verify
    else
        {
        die(header("Location: {$_SERVER['SCRIPT_NAME']}?failed_login"));
        }
    } // End Else
} // End if Post

// ---------------------------------------------------------------------------------------
// Display Form
// ---------------------------------------------------------------------------------------
?>

Username

<?php if (!empty($error['username'])): ?> <?= $error['username'] ?> <?php endif; ?>

Password

<?php if (!empty($error['password'])): ?> <?= $error['password'] ?> <?php endif;?>

Sign In Forgot Password | Register

[/php]

Adamhumbug · March 10, 2017, 8:36pm

HI Kevin,

Thanks for this help, it is greatly appreciated.

This is my first ever php project so you will have to forgive me lack of knowledge.

I assume that what you have sent me there is a well laid out log in form.

I dont currently have a config.php, what lives in there.

PS if you know of any good resources that will take me through the process of building a log in and registration system that would be amazing. I have done a lot of googling but as you have commented, they are taking me down the wrong path. You knowledge on this would be appreciated.

Thanks

benanamen · March 10, 2017, 8:45pm

The PDO database connection would be in the config file.

Start with this to get up and working.

[php]<?php

$hostdb = ‘localhost’;
$dbname = ‘YOURDBNAME’;
$username = ‘root’;
$password = ‘’;
$table = ‘YOURTABLE’;

$pdo = new PDO("mysql:host=$hostdb;dbname=$dbname", $username, $password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$sql  = "SELECT * FROM $table";
$stmt = $pdo->prepare($sql);
$stmt->execute();

$result = $stmt->fetchAll();

        echo '<pre>';
        print_r($result);
        echo '/<pre>';

?>[/php]

Adamhumbug · March 10, 2017, 9:06pm

Thanks for this, ill have a look into it

astonecipher · March 10, 2017, 9:35pm

It’s not that the query is failing, it’s that he isn’t requesting it to begin with.

OP, don’t do shit like this:
[php]$sql = “SELECT * FROM $table”;[/php]

It isn’t needed when you are just defining the values anyway. If you want to abstract database stuff, use a real ORM like Doctrine.

benanamen · March 10, 2017, 10:13pm

Yeah, what he said. That was just to make it easier to get you going. You never want to use variables in your query in practice.

trillzglobal · March 26, 2017, 10:40pm

use
ob_start();

immediately after your <?php
and

ob_end_flush();

immediately before closing
?>

astonecipher · March 26, 2017, 10:43pm

And why would that be a good idea?

trillzglobal · March 26, 2017, 10:53pm

This function will turn output buffering on. While output buffering is active no output is sent from the script (other than headers), instead the output is stored in an internal buffer.

astonecipher · March 26, 2017, 10:56pm

I know what it does, but how does that fix a SQL error?