Kamal Hasija Kamal Hasija - 2 months ago 22
PHP Question

This is a simple login page and somewhere code is not working in php

This is my php code for a login form. Please help i check my code 4-5 time but did not reach out the problem here. The problem is that my if block is executed successfully but else part is not working. I don't what is happening here. Please tell me why my code is not executed properly.

HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<form method="post">
<table>
<tr><td>User<input type="text" name="fuser"/></td></tr>
<tr><td>Password<input type="password" name="fpassword"/></td></tr>
<tr><td><a href="#">Lost Password</a>&nbsp;<a href="form.php">Create new Account</a></td></tr>
<tr><td><input type="submit" name="fsubmit" value="Login"/></td></tr>
</table>
</form>
</body>
</html>


PHP

<?php
if(isset($_POST['fsubmit']))
{
$hostname="localhost";
$username="root";
$dbpassword="";
$db="php";

$user=$_POST['fuser'];
$password=$_POST['fpassword'];

mysql_connect($hostname, $username, $dbpassword) or die("Server not Found, May be connection lost somewhere.");

mysql_select_db($db) or die("Error Established, Database Not Connected.");

$query="select * from register where user='$user' and password='$password'";

$rs=mysql_query($query) or die("Query not Executed, Some Fault.");

while($r=mysql_fetch_assoc($rs))
{
if($user==$r['user'] && $password==$r['password'])
{
echo "<script>alert('You Are Login Successfully.')</script>";
echo "Please Wait We Moving Now, Don't Press F5 or Refresh Button";
header("Refresh:3; URL=dashboard.php");
}
else
{
echo "<script>alert('Sorry Try Agian or Register First.')</script>";
echo "Please Wait We Moving Now, Don't Press F5 or Refresh Button";
header("Refresh:1; URL=form.php");
}
}
}
?>

Answer

Solution:

  • Why do you have to compare the passed-on data with the fetched data of your query? It is too redundant, and that loop will slow the process. All you have to do is to use *_num_rows if there is a match.
  • Also consider using _real_escape_string() to sanitize POST data from your form before binding it in your query, or better yet, use prepared statement.
  • Your else statement will not work because when a user enters a credential that does not exist in your database, it will not enter the loop, which tends not to read the if-else statement.

Sample Code:

$user = mysql_real_escape_string($_POST['fuser']);
$password = mysql_real_escape_string($_POST['fpassword']);

$query = "SELECT * FROM register WHERE user = '$user' AND password = '$password'";
$rs = mysql_query($query) or die("Query not Executed, Some Fault.");

if(mysql_num_rows($rs) > 0){

    echo "<script>alert('You Are Login Successfully.')</script>";
    echo "Please Wait We Moving Now, Don't Press F5 or Refresh Button";
    header("Refresh:3; URL=dashboard.php");

} else {

    echo "<script>alert('Sorry Try Agian or Register First.')</script>";
    echo "Please Wait We Moving Now, Don't Press F5 or Refresh Button";
    header("Refresh:1; URL=form.php");

}

Prepared Statement:

Reminder: mysql_* API is deprecated, and recommend that you use mysqli_* instead.

Establish your connection first using mysqli_*:

$con = new mysqli("localhost", "root", "", "php");

if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

Then, proceed to your code:

$user = $_POST['fuser'];
$password = $_POST['fpassword'];

$stmt = $con->prepare("SELECT * FROM register WHERE user = ? AND password = ?");
$stmt->bind_param("ss", $user, $password);
$stmt->execute();
$stmt->store_result();
if($stmt->num_rows > 0){

    echo "<script>alert('You Are Login Successfully.')</script>";
    echo "Please Wait We Moving Now, Don't Press F5 or Refresh Button";
    header("Refresh:3; URL=dashboard.php");

} else {

    echo "<script>alert('Sorry Try Agian or Register First.')</script>";
    echo "Please Wait We Moving Now, Don't Press F5 or Refresh Button";
    header("Refresh:1; URL=form.php");

}
$stmt->close();

Security:

Consider also encrypting your password when storing it in your database. I suggest you use at least password_hash.