PHP Login Verification Issues

Hi,

I’m currently having an issue with validating my login script, it only appears that one part of it actually works!

I have a simple login form with a username and password field and login button.

At the moment if I enter nothing into the login form (nothing for both username and password), it logs in as an unregistered user with no ID and my error message is displayed.
If I enter an unregistered username with no password the same thing happens.
If I enter an unregistered username with a random password there is no log in which is good, but my error message is not displayed.
If I enter a registered username and password into the form, it logs in with the correct ID and no error message is displayed, which is good.
If I enter a random password with nothing in the username it does not log in which is good and the error message is displayed as it should.

How can I get it so that all of these login attempts are coded so that it always results in the last case if an unregistered user is entered and / or missing details are entered into the form?

Form and Validation Code

[php] <?php

		if ($_SESSION['loggedin'] == true){ 

			 echo "You are logged in as ";?><b><?php echo $_SESSION['username']?></b><?php echo "&nbsp;["; echo $_SESSION['id']; echo "]";  
			 
	?>			
             
     	<a href="logout.php">Logout</a>
        
    <?php
			
		}else{ 

			echo "<p><b>Login:</b></p>\n"; 
		
	?>
                            
        <form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
			<b>Username:</b> <input type="text" name="liusername"> 
		    <b>Password:</b> <input type="password" name="lipassword">
        	<input type="submit" name="lisubmit" value="Login">
  		</form>            
	
		<?php
		
			
			} 	
			if ($_SESSION['loggedin'] == true);
			if (empty($_POST) === false) {
				$username = $_POST['liusername'];
				$password = $_POST['lipassword'];
				
			
			

				if (empty($username) === true || empty($password) === true) {
					?><br /><font color="red"><?php echo 'ERROR: You need to enter a username and password!';

				}
			
			}
		?>[/php]

Login Code

[php]<?php

if (isset($_POST['lisubmit'])){
	
	$query = "SELECT user_id, user_password FROM user WHERE user_username = '".$_POST['liusername']."'";  // Select details from user table
	
	$result = mysql_query($query) or die(mysql_error());
	
	$row = mysql_fetch_array($result);
	
	if ($row['user_password'] == $_POST['lipassword']) {
		
		$_SESSION['loggedin'] = true;
		$_SESSION['id'] = $row['user_id'];		
		$_SESSION['username'] = $_POST['liusername'];
		
		
	} else {
		
		$_SESSION['loggedin'] = false;
		$_SESSION['id'] = 0;
	
}

}
[/php]

I’m still a newbie towards php so I’m not sure what/where to add or change as I don’t understand this validation thing very well?

How do I check that the user exists and how do I stop random user names that are not in the user table from logging in? Thanks.

Thank you in advance for any help

Do yourself a favor in learning to do it the right way the first time.

[size=14pt]mysql is Depreciated use mysqli or PDO[/size]

Use my login/registration tutorial that is in my signature below or if you don’t my tutorial :’( then Kevin Rubio and I think JimL, who are both regular posters here have tutorials here. An I am sure there is even other posts covering the same issue in the threads that can help you.

Mr Strider is right. You are off to the wrong start. First learn the basics and PDO (or Mysqli). You will move along faster if you start with the basics of PHP before you try to build a database application. There is a link to a PDO database in my sig that will get you up and running with PDO without having to know anything. You can play around with that and see one way of a few how PDO is structured. It is not a tutorial, just a basic working example of PDO.

Depreciated = Deprecated ;D

This should get you going.

[php]<?php
//Create the session
session_start();
//Ensure the default state of “loggedin” is false
$_SESSION[‘loggedin’] = false;

if (isset($_POST[‘liusername’])){ $usernameP = $_POST[‘liusername’]; }
if (isset($_POST[‘lipassword’])){ $passwordP = $_POST[‘lipassword’]; }
if (isset($_POST[‘lisubmit’])){ $submitP = $_POST[‘lisubmit’]; }

$query = “SELECT user_id, user_username, user_password FROM user WHERE user_username = $usernameP”;
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
$id = $row[‘user_id’];
$username = $row[‘user_username’];
$password = $row[‘user_password’];

//Validation 1: Has the user entered a username and password?
if (($usernameP == ‘’) && ($passwordP == ‘’)){
echo ‘Sorry, but you must enter a username and password to continue.’;
} else {
//Validation 2: Does the username/password the user entered match details in the DB?
if (($username && $password) == ($usernameP && $passwordP)) {
$_SESSION[‘loggedin’] = true;
$_SESSION[‘id’] = $id;
$_SESSION[‘username’] = $username;
} else {
echo ‘Sorry, but the username and password you entered does not match our records. Please try again.’;
}
}
if ($_SESSION[‘loggedin’] == true){
echo “You are logged in as " . $username . " [” . $id . “]”;
?>

Logout

<?php } else { echo "

Login:

\n"; ?>

<form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    <b>Username:</b> <input type="text" name="liusername">
    <b>Password:</b> <input type="password" name="lipassword">
    <input type="submit" name="lisubmit" value="Login">
</form>

<?php } ?>[/php]

Your code was all jumbled. And there were lots of markup errors. Compare yours with mine. It’s all in one file now, btw. Good luck and if you have any more problems, let me know.

PS: $usernameP is the $_POST data - $username is the value pulled from the database. The same goes for password. Btw, the reason you should use the username from the DB instead of the post value is that if you make a form for the user to have the ability to change their username, when they submit the form, the username will still be the same as the one they originally logged in with, not the username they had just changed to. Until they log out, it won’t change. So, you always pull values from the DB instead of $_POST / $_GET.

@awl19,

The database should be queried after you run Validation #1. If a blank form is submitted, the database should not be queried.

This:
[php]echo “You are logged in as " . $username . " [” . $id . “]”;

Can be:
echo “You are logged in as $username $id”;[/php]

How do you find out if the user inputted data matches records in the DB if it's not queried first?

Your validation #1 only checks if something is entered in the username AND password field of the form ONLY. If there is nothing entered, there is nothing to match against so no need to make a query.

[php] //Validation 1: Has the user entered a username and password?
if (($usernameP == ‘’) && ($passwordP == ‘’)){
echo ‘Sorry, but you must enter a username and password to continue.’;
} [/php]

This is checking if the form had anything entered. Has nothing to do with checking the database. You dont ask the database if nothing matches nothing

[php]<?php
//Create the session
session_start();
//Ensure the default state of “loggedin” is false
$_SESSION[‘loggedin’] = false;

if (isset($_POST[‘liusername’])){ $usernameP = $_POST[‘liusername’]; }
if (isset($_POST[‘lipassword’])){ $passwordP = $_POST[‘lipassword’]; }
if (isset($_POST[‘lisubmit’])){ $submitP = $_POST[‘lisubmit’]; }

//Validation 1: Has the user entered a username and password?
if (empty($usernameP) || empty($passwordP)){
echo ‘Sorry, but you must enter a username and password to continue.’;
} else {
$query = “SELECT user_id, user_username, user_password FROM user WHERE user_username = $usernameP”;
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
$id = $row[‘user_id’];
$username = $row[‘user_username’];
$password = $row[‘user_password’];
//Validation 2: Does the username/password the user entered match details in the DB?
if (($username == $usernameP) && ($password == $passwordP)) {
$_SESSION[‘loggedin’] = true;
$_SESSION[‘id’] = $id;
} else {
echo ‘Sorry, but the username and password you entered does not match our records. Please try again.’;
}
}
if ($_SESSION[‘loggedin’] == true){
echo “You are logged in as $username ($id)”;
?>

Logout

<?php } else { echo "

Login:

\n"; ?>

<form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    <b>Username:</b> <input type="text" name="liusername">
    <b>Password:</b> <input type="password" name="lipassword">
    <input type="submit" name="lisubmit" value="Login">
</form>

<?php } ?>[/php]

In this instance, running this code even without a database setup would reveal one of the first things that needs to be updated. As is, the first thing that happens is the user is greeted with an error message when they get to the page. “Sorry, but you must enter a username and password to continue.” Obviously, they should only see that if they submit the form without entering a username or password.

So what is missing is our check if the form has been submitted;

[php]if (!empty($_POST)){
// Now that we know form is submitted WITH something, we check for missing fields
// I personally dont do anything if they submit a completely blank form
}// Endif (!empty($_POST))[/php]

Now, we could go with a catchall error as is or we could output which field(s) are missing.

[php] $error = array();// Create empty error array. This is needed if there are no errors or we will get an error

if (empty($_POST['username']))
    {
    $error['username'] = 'Username Required.';
    }
if (empty($_POST['password']))
    {
    $error['password'] = 'Password Required.';
    }[/php]

Now we check our errors array and display our specific error message(s) to the user. (The following has other code for using bootstrap CSS)

[php] if ($result = count($error) > 0)
{
echo ‘

’ . PHP_EOL . PHP_EOL;
}[/php]

We now have data submitted for username and password. Now here is where we should be ready with PDO or Mysqli, but since we are not we need to use mysql_real_escape_string on the submitted data

[php] else
{
$username = mysql_real_escape_string($_POST[‘username’]);
$password = mysql_real_escape_string($_POST[‘password’]);
// Make query, get results

}[/php]

Lets go with valid credentials entered. We are now here

[php] if (($username == $usernameP) && ($password == $passwordP)) {
$_SESSION[‘loggedin’] = true;
$_SESSION[‘id’] = $id;
}
[/php]

Since $_SESSION[‘id’] is only going to be set if we have a valid login we dont need $_SESSION[‘loggedin’] = true;

We can just check for $_SESSION[‘id’]. This will not be needed either: $_SESSION[‘loggedin’] = false;

I would also set the username as a session so we can keep on using it.

[php] if (isset($_SESSION[‘id’]){
echo “You are logged in as {$_SESSION[‘username’]} {$_SESSION[‘id’]}”;
}
[/php]

One more change I would make is when we first use session_start();

We are are only setting sessions when we get a valid login so there is no point in using session_start() at the top of this specific example if we get invalid logins.

[php] if (($username == $usernameP) && ($password == $passwordP)) {
session_start();// Start sessions when we have a valid login
$_SESSION[‘loggedin’] = true;
$_SESSION[‘id’] = $id;
}
[/php]

*** @awl19 I see your making changes. I am following along…

This is about as in depth as I am going to get with deprecated code. If I have time I will post the PDO version of this.

[php]<?php
//Create the session
session_start();
//Ensure the default state of “loggedin” is false
$_SESSION[‘loggedin’] = false;

if (isset($_POST[‘liusername’])){ $usernameP = $_POST[‘liusername’]; }
if (isset($_POST[‘lipassword’])){ $passwordP = $_POST[‘lipassword’]; }
if (isset($_POST[‘lisubmit’])){ $submitP = $_POST[‘lisubmit’]; }

//Validation 1: Has the user submitted the form?
if (isset($submitP)) {
//Validation 2: Has the user entered a username/password?
if (empty($usernameP) || empty($passwordP)){
$error = ‘Sorry, but you must enter a username and password to continue.’;
} else {
$query = “SELECT user_id, user_username, user_password FROM user WHERE user_username = $usernameP”;
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
$id = $row[‘user_id’];
$username = $row[‘user_username’];
$password = $row[‘user_password’];
//Validation 3: Does the username/password the user entered match records in the database?
if (($username == $usernameP) && ($password == $passwordP)) {
$_SESSION[‘loggedin’] = true;
$_SESSION[‘id’] = $id;
} else {
$error = ‘Sorry, but the username and password you entered does not match our records. Please try again.’;
}
}
}
if ($_SESSION[‘loggedin’] == true){
echo “You are logged in as $username ($id)”;
?>
Logout

<?php } else { echo "

Login:

\n"; ?>

<form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    <b>Username:</b> <input type="text" name="liusername">
    <b>Password:</b> <input type="password" name="lipassword">
    <input type="submit" name="lisubmit" value="Login">
</form>

<?php if (isset($error)) { echo ""; } } ?>[/php]

[php]<?php
//Sanitize data
function sanitize($data) {
$data = trim($data);
$data = htmlspecialchars($data);
$data = mysql_real_escape_string($data);
return $data;
}

if (isset($_POST[‘liusername’])){ $usernameP = sanitize($_POST[‘liusername’]); }
if (isset($_POST[‘lipassword’])){ $passwordP = sanitize($_POST[‘lipassword’]); }
if (isset($_POST[‘lisubmit’])){ $submitP = sanitize($_POST[‘lisubmit’]); }

//Validation 1: Has the user submitted the form?
if (isset($submitP)) {
//Validation 2: Has the user entered a username/password?
if (empty($usernameP) || empty($passwordP)){
$error = ‘Sorry, but you must enter a username and password to continue.’;
} else {
$query = “SELECT user_id, user_username, user_password FROM user WHERE user_username = $usernameP”;
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
$id = $row[‘user_id’];
$username = $row[‘user_username’];
$password = $row[‘user_password’];
//Validation 3: Does the username/password the user entered match records in the database?
if (($username == $usernameP) && ($password == $passwordP)) {
session_start();
$_SESSION[‘id’] = $id;
$_SESSION[‘username’] = $username;
} else {
$error = ‘Sorry, but the username and password you entered does not match our records. Please try again.’;
}
}
}
if (isset($_SESSION[‘id’])){
echo “You are logged in as {$_SESSION[‘username’]} ({$_SESSION[‘id’]})”;
?>
Logout

<?php } else { echo "

Login:

\n"; ?>

<form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    <b>Username:</b> <input type="text" name="liusername">
    <b>Password:</b> <input type="password" name="lipassword">
    <input type="submit" name="lisubmit" value="Login">
</form>

<?php if (isset($error)) { echo ""; } } ?>[/php]

Here is a text sanitizer using Filters. I will leave this for you to research what it does if you don’t know.

[php]function sanitize_form_text($form_text)
{
$form_text = filter_var($form_text, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_LOW);
$form_text = filter_var($form_text, FILTER_SANITIZE_ENCODED);
$form_text = str_replace(’%20’, ’ ', $form_text);
return $form_text;
}[/php]

I trim the entire $_POST array at once with this when appropriate:

[php]$_POST = array_map(‘trim’, $_POST);[/php]

This should be a working version using PDO:

[php]<?php

if (isset($_POST[‘liusername’])){ $usernameP = $_POST[‘liusername’]; }
if (isset($_POST[‘lipassword’])){ $passwordP = $_POST[‘lipassword’]; }
if (isset($_POST[‘lisubmit’])){ $submitP = $_POST[‘lisubmit’]; }

//Validation 1: Has the user submitted the form?
if (isset($submitP)) {
//Validation 2: Has the user entered a username/password?
if (empty($usernameP) || empty($passwordP)){
$error = ‘Sorry, but you must enter a username and password to continue.’;
} else {
ini_set(‘error_reporting’, E_ALL);
ini_set(‘display_errors’, ‘1’);

    try {
        $db = new DB();
        $users = $db->query("SELECT * FROM user WHERE user_username = $usernameP");
        foreach ($users as $user) {
            $id = $user->user_id;
            $username = $user->user_username;
            $password = $user->user_password;
            //Validation 3: Does the username/password the user entered match records in the database?
            if (($username == $usernameP) && ($password == $passwordP)) {
                session_start();
                $_SESSION['id'] = $id;
                $_SESSION['username'] = $username;
            } else {
                $error = 'Sorry, but the username and password you entered does not match our records. Please try again.';
            }
        }
        } catch (Exception $e) {
        echo '<h3>Error:</h3>';
        echo $e->getCode() . ': ' . $e->getMessage();
        echo '<h3>Stack trace:</h3>';
        foreach ($e->getTrace() as $trace) {
            echo $trace['file'] . ' Line #' . $trace['line'] . '<br />';
        }
    }
}

}
if (isset($_SESSION[‘id’])){
echo “You are logged in as {$_SESSION[‘username’]} ({$_SESSION[‘id’]})”;
?>
Logout

<?php } else { echo "

Login:

\n"; ?>

<form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    <b>Username:</b> <input type="text" name="liusername">
    <b>Password:</b> <input type="password" name="lipassword">
    <input type="submit" name="lisubmit" value="Login">
</form>

<?php if (isset($error)) { echo ""; } } ?>[/php]

Here’s the connection file which should go before all of the code above: [php]<?php
class DB {
/*** PDO connection * @var PDO */
private $pdoConn = null;

/*** Class constructor */
public function __construct() {
    $this->_initDb();
}

/*** Get PDO database connection** @return*/
public function getPDOConn() {
    return $this->pdoConn;
}

/*** Init db connection*/
private function _initDb() {
    $this->pdoConn = new \PDO('mysql:dbname=mydb;host=localhost;charset=utf8', 'root', '');
    $this->pdoConn->exec("set names utf8");
    $this->pdoConn->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
    $this->pdoConn->setAttribute(\PDO::ATTR_EMULATE_PREPARES, false);
}

/**
 * Executes parametarized query
 * @param string $query
 * @param array $params
 * @param string $fetch_method
 */
public function query($query, $params = [], $fetch_method = 'OBJ', $class = '') {
//public function query($query, $params = array(), $fetch_method = 'OBJ', $class = '') {
    $stmt = $this->pdoConn->prepare($query);
    $result = $stmt->execute($params);
    if ($result) {
        $querybit = explode(" ", trim($query));
        if ($querybit[0] == 'SELECT') {
            if (strtoupper($fetch_method) === 'CLASS') {
                $ret = $stmt->fetchAll(constant('PDO::FETCH_CLASS'), $class);
            } else {
                $ret = $stmt->fetchAll(constant('PDO::FETCH_' . strtoupper($fetch_method)));
            }
        } else {
            $ret = TRUE;
        }
    }
    return !empty($ret) ? $ret : null;
}
/**
 * Get last inserted id
 *
 * @return integer
 */
public function getLastInsertedId() {
    return $this->pdoConn->lastInsertId();
}
/**
 * Generate unnamed placeholders.
 * Accepts an array of values that are to be inserted into the database.
 *
 * @param array $array
 * @return string
 */
public function generatePlaceholders ($array) {
    return rtrim(str_repeat('?,', count($array)), ',');
}

}
?>[/php]

Change this line: [php]$this->pdoConn = new \PDO(‘mysql:dbname=mydb;host=localhost;charset=utf8’, ‘root’, ‘’);[/php]

Credit for this PDO script goes to JimL (http://www.phphelp.com/forum/the-occasional-tutorial/using-php-with-databases-(pdo-tutorial)/msg74968/)

Its not going to work as is. You have at least 2 missing curly braces. It will help you a lot to set up a local development server so you can test your code before you post it and use an IDE that shows syntax errors.

In the mean time, there are several online syntax checkers you can use. Checking sytax is the very first thing I check when testing someones code. If the syntax is wrong it is not going to work.

You can setup Zend Server on your PC or use Xampp along with Phpmyadmin to manage the DB. They are free. There are many IDE’s. I use Webuilder myself.

Nice effort on reading and trying to implement Jims tutorial. I use an alternate PDO method so Jim could best help you at this point. Strider64 is also a knowledgeable poster on here.