Login form not working

system · August 10, 2014, 5:15pm

When I submit my form, login_form.php shows up blank. Can someone spot my mistake with my coding?

login.html

[code]

Login

Username :

Password:

Login

[/code]

login_form.php
[php]<?php
//check for required fields from the form
if ((!isset($_POST[‘username’])) || (!isset($_POST[‘password’]))) {
header(“Location: login.html”);
exit;
}

//connect to server and select database
$mysqli = (‘localhost’, ‘xxx’, ‘xxx’, ‘phpsols’)
or die(mysql_error());

//use mysqli_real_escape_string to clean the input
$username = mysqli_real_escape_string($mysqli, $_POST[‘username’]);
$password = mysqli_real_escape_string($mysqli, $_POST[‘password’]);

//create and issue the query
$sql = “SELECT f_name, l_name FROM users WHERE
username = '”.$username."’ AND
password = PASSWORD(’".$password."’)";

$result = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

//get the number of rows in the result set; should be 1 if a match
if (mysqli_num_rows($result) == 1) {

//if authorized, get the values of f_name l_name
while ($info = mysqli_fetch_array($result)) {
     $f_name = stripslashes($info['f_name']);
     $l_name = stripslashes($info['l_name']);
}

//set authorization cookie
setcookie("auth", "1", 0, "/", "domain.com", 0);

//create display string
$display_block = "
<p>".$f_name." ".$l_name." is authorized!</p>
<p>Authorized Users' Menu:</p>
<ul>
<li><a href=\"list.php\">list page</a></li>
</ul>";

} else {
//redirect back to login form if not authorized
header(“Location: login.html”);
exit;
}

//close connection to MySQL
mysqli_close($mysqli);
?>

User Login <?php echo $display_block; ?> [/php]

Strider64 · August 10, 2014, 6:13pm

To display error messages caused by your PHP script you can include these lines of code:

ini_set(‘display_errors’,1);
error_reporting(E_ALL);

Since you’re using mysqli you might as well use prepared statements and the script below should work with some modifications to it and I would definitely look into using a password hashing library (not your own). I think I provided a link to one if you’re not using PHP 5.5.

[php]/ A nice password hashing library for PHP 5

// Find it here: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php
// Read the Documentation for further help:

require ‘includes/password.inc.php’;

if (isset($_POST[‘action’]) && $_POST[‘action’] == ‘login’) {

$username = $_POST[‘username’]; // Bind parameter:

/* This is where you setup your query */
$query = ‘SELECT id,
username,
password,
DATE_FORMAT(date_added, “%e %M %Y”) as date_added
FROM users
WHERE username = ?’;
$stmt = $mysqli->prepare($query); // Prepare the query:

/* bind parameters for markers */
$stmt->bind_param("s", $username);

/* execute query */
$stmt->execute();

/* bind variables to prepared statement */
$stmt->bind_result($id, $name, $password, $date_added);

/* fetch values */
while ($stmt->fetch()) {

	  $row['id'] = $id;
	  $row['username'] = $name;
	  $row['password'] = $password;
	  $row['date_added'] = $date_added;

}

// This variable tells us whether the user has successfully logged in or not.
// We initialize it to false, assuming they have not.
// If we determine that they have entered the right details, then we switch it to true.

$login_ok = false;		

// Retrieve the user data from the database.  If $row is false, then the username
// they entered is not registered.

if(isset($row) && $row['username'] == $username)
{
	// Verify Stored Hashed Password:
	$result = password_verify($_POST['password'], $row['password']);

	/* If password matches user's database then proceed. */
	if ($result) {

		$login_ok = true;	

	} else {

		$errMsg = 'Invalid Credientials!';

	}

}

// If login is OK:
if ($login_ok) {

	// It's not wise to store the password in $_SESSION:
	unset($row['password']);

  // This stores the user's data into the session at the index 'user'.
      // We will check this index on the private members-only page to determine whether
  // or not the user is logged in.  We can also use it to retrieve
      // the user's details.

  $_SESSION['user'] = $row;		
  // Redirect the user to the private members-only page.
         header("Location: login.php");
        exit();	

}[/php]

P.S. I don’t usually work in mysqli for I use PDO and a PDO tutorial is in my signature.

astonecipher · August 10, 2014, 7:53pm

Since you're using mysqli you might as well use prepared statements

You should always use prepared statements. And the post above is a very good example of what you should be doing.

ErnieAlex · August 12, 2014, 5:43am

Well, girl, a lot of people will agree that PDO is what you should learn, but, I prefer to help you solve your problem first and then suggest to changing your code to another programming version.

So, first you need to debug your code. You need to see if you are getting the data typed into the form.
Make sure you are receiving the username and password correctly. You can display both of them just after
you grab them using : die(“username=” . $username . “
password=” . $password);
This will kill your program displaying the data you grabbed after cleaning it up.

Then, manually check your database to verify that you have a user in your in your user’s table.
That will tell you if it is a programming error or you just do not have that user in place.
die(“username=” . $username . “
password=” . $password); (after line 14)
BUT, my guess is that it is your query. You are using some odd parm in the query…
password = PASSWORD(’".$password."’)";
What does your function PASSWORD do to the value? Since you did not show this part of your code,
it could be the problem. Therefore, to debug THAT, you really need to display these instead of the above:
die(“username=” . $username . “
password=” . PASSWORD($password));
My guess is that whatever that function does in the included file is messing with your password values.

Hope that helps…

benanamen · August 12, 2014, 4:36pm

On another note regarding this line:

[php] //check for required fields from the form
if ((!isset($_POST[‘username’])) || (!isset($_POST[‘password’]))) {
header(“Location: login.html”);
exit;
}[/php]

You should actually be checking if username and password is empty. When you submit the form, those fields will ALWAYS be set whether anything was entered or not. As is, you will be making a useless call to the database if no data was entered.

You can also clean this line up a little

[php]header(“Location: login.html”);
exit;[/php]

TO

[php]die(header(“Location: login.html”));[/php]