astroXoom astroXoom - 4 months ago 19
PHP Question

PHP - Checking the textbox in Login Forms

The file code is going to check if the field is empty then run the code. The main problem is that when the text box is filled, the "authentication" doesn't work anymore.

So basically, the system gonna check if the text box is filled (both for the Username and Password), when the text box is not filled out, an error will show up "Please fill all the fields" and it's not gonna let the user login if the text box isn't filled out. The problem now is when the text boxes is properly filled (or "filled"), the authentication system isn't working anymore.



More Information:

The authentication system is using SHA256 as the "encryptor" or the "hash code". When I don't enter the code for "checking the fields if empty", the code actually works, but when I put it on the file, everything seems messed up now.



The HTML form code:


<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
Username: <input type="text" name="username" /><br />
Password: <input type="password" name="password" /><br />
Remember me: <input type="checkbox" name="remember" /><br />
<input type="submit" name="submit" value="Login" />
<a href="register.php">Register</a>
</form>


The PHP code:

<?php
$username = $_POST['username'];
$mainpass = $_POST['password'];
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (empty($_POST['username']) || empty($_POST['password'])) {
echo "Please fill all the fields!";
}
} else {
?>
<?php
if (isset($_POST['submit'])) {
$username = $_POST['username'];
$mainpass = $_POST['password'];
$password = hash('sha256', $mainpass);

// processing remember me option and setting cookie with long expiry date
if (isset($_POST['remember'])) {
session_set_cookie_params('604800'); //one week (value in seconds)
session_regenerate_id(true);
}

$mysqli = new mysqli(localhost, root, "", loginsecure);
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}

$sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
$result = $mysqli->query($sql);

if ($result->num_rows != 1) {
echo "<p><b>Error:</b> Account doesn't exists! <a href=\"register.php\">Register here!</a></p>";
} else {
// Authenticated, set session variables
$user = $result->fetch_array();
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];

// update status to online
$timestamp = time();
$sql = "UPDATE users SET status={$timestamp} WHERE id={$_SESSION['user_id']}";
$result = $mysqli->query($sql);

redirect_to("profile.php?id={$_SESSION['user_id']}");
// do stuffs
}
}

if (isset($_GET['msg'])) {
echo "<p style='color:red;'>" . $_GET['msg'] . "</p>";
}
}
?>

Answer

Problem is the if statements in the else clause will never be reached except when the method is GET.

Change the if statement and remove the first assignment of $username and $password:

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    if (empty($_POST['username']) || empty($_POST['password'])) {
        echo "Please fill all the fields!";
    }
    elseif (isset($_POST['submit'])) {
        $username = $_POST['username'];
        $mainpass = $_POST['password'];
        // rest of your code...