Sphiinx Sphiinx - 7 months ago 13
SQL Question

Making first login system. Selecting SQL Column not working?

I am attempting to make my first login system. For some reason when I try to get the password from my database it doesn't give a value? I'm not sure what I'm doing wrong. The error is somewhere between $sql and $db_password.

@LFlare Im not sure what the DESC users thing is. Here is a picture of the table, I wasn't sure how you wanted it. http://i.imgur.com/WkZV7IZ.png

Thanks!

<?php
session_start();

if (isset($_POST['login'])) {
include_once("db.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);

$username = stripslashes($username);
$password = stripslashes($password);

$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);

$password = md5($password);

$sql = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['password'];

//echo "Password: $password";
//echo "DB Password: $db_password";

if ($password == $db_password) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
} else {
echo "You didn't enter the correct details!";
}
}
?>

<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form action="login.php" method="post" enctype="multipart/form-data">
<input placeholder="Username" name="username" type="text" autofocus>
<input placeholder="Password" name="password" type="password">
<input name="login" type="submit" value="Login">
</form>
</body>
</html>

Answer

Your PHP

<?php
    session_start();

    if (isset($_POST['username']) && isset($_POST['password'])) {
        include_once("db.php");
        $username = mysqli_real_escape_string($sqlcon, $_POST['username']);
        $password = mysqli_real_escape_string($sqlcon, $_POST['password']);
        // If you want to make sure username is alphanumeric, you can do
        // $username = preg_replace('/[^a-zA-Z0-9]/', '', mysqli_real_escape_string($sqlcon, $_POST['username']));

        // Do not use these, mysqli_real_escape_string is enough to prevent injection attacks. Furthermore, you may be compromising user security by remove special characters in passwords.
        // $username = strip_tags($_POST['username']);
        // $password = strip_tags($_POST['password']);
        // $username = stripslashes($username);
        // $password = stripslashes($password);

        // $password = md5($password); This is very susceptibile to rainbow table attacks, do something like a loop
        for ($i = 0; $i < 1000; $i ++) {
            $password = md5($password . $username); // Looping the md5 a thousand times and salting it with the username is good practice too.U
        }

        $userQuery = "SELECT * FROM users WHERE username = '" . $username . "' LIMIT 1";
        $user = mysqli_query($sqlcon, $userQuery);

        if (mysqli_num_rows($user) > 0) { // If user exists,
            $user = mysqli_fetch_assoc($user); // mysqli_fetch_arrays put values into $user[0], $user[1], etc.
            $id = $user['id'];
            $databasepass = $user['password'];

            if ($password === $databasepass) {
                $_SESSION['username'] = $username;
                $_SESSION['id'] = $id;
                header("Location: index.php");
            } else {
                echo "Password is incorrect";
            }
        } else {
            echo "Username does not exist";
        }
    } else {
        echo "Username or Password not filled in";
    }
    echo $password;
?>

<!DOCTYPE html>
<html>
    <head>
        <title>Login</title>
    </head>
    <body>
        <h1>Login</h1>
        <form action="login.php" method="post" enctype="multipart/form-data">
            <input placeholder="Username" name="username" type="text" autofocus>
            <input placeholder="Password" name="password" type="password">
            <input name="login" type="submit" value="Login">
        </form>
    </body>
</html>

Your db.php

<?php
$host = "localhost";
$user = "root";
$pass = "";
$database = "users";

$sqlcon = mysqli_connect($host, $user, $pass, $database);

if (mysqli_connect_errno()) {
    die ("MySQL Database Connection Error");
}
?>