Php password problem
I use this code to login, but when I enter username and password, it just loads the page and the login page is displayed again. Why is this happening?
<?php
session_start();
if(!isset($_POST['username']) || !isset($_POST['password']) || empty($_POST['username']) || empty($_POST['password']))
{
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Welcome to yachts database </title>
<script type="text/javascript">
function validate()
{
var username=document.getElementById("username").value;
var password=document.getElementById("password").value;
if(username.length==0)
{
alert("Please enter your user name");
document.getElementById("username").focus();
document.getElementById("username").select();
return false;
}
if(password.length==0)
{
alert("Please enter your password");
document.getElementById("password").focus();
document.getElementById("password").select();
return false;
}
submitOK="false";
}
</script>
<?php
include("styles.txt");
?>
</head>
<body onLoad="self.focus();document.login.username.focus()">
<br><br><br><br><br><br><br>
<center><font size=5 color=blue><b>University of ....... </b></font></center>
<center><font size=5 color=blue><b>Yachts Database Project</b></font></center>
<form name="login" method="post" action="<?php $_SERVER['PHP_SELF'];?>" onSubmit="return validate()">
<table width="350" border="1" align="center" cellpadding=0 cellspacing=0 bgcolor=#ffffff bordercolor=#ffffff>
<tr>
<th colspan=2 height=30 bgcolor=#050E8C><font size=4 color=#ffffff>Please, enter user name and password</font></th>
</tr>
<tr>
<th bgcolor=#E0E0FF><font size=4 color=#2020ff>User name</font></th>
<td bgcolor=#E0E0FF align=center><input type="text" name="username" id="username" size="30"></td>
</tr>
<tr>
<th bgcolor=#E0E0FF><font size=4 color=#2020ff>Password</font></th>
<td bgcolor=#E0E0FF align=center><input type="password" name=" password" id="password" size="30"></td>
</tr>
<tr>
<td bgcolor=#E0E0FF colspan=2 align=right><input type="submit" name="login" value=" Login "> <input type="reset" name="reset" value=" Reset "> <a href=register.php class=links>Register</a> </td>
</tr>
</table>
</form>
</body>
</html>
<?php
}
else
{
$connect= mysql_connect("localhost","root") or die ("Sorry, Can not connect to database");
mysql_select_db("login") or die (mysql_error());
$username1=$_POST['username'];
$password1=$_POST['password'];
if($username1 && $password1)
{
$query="SELECT * FROM users WHERE username='$username1' AND password='$password1'";
$result=mysql_query($query,$connect) or die(mysql_error());
$rowcount=mysql_num_rows($result);
}
if($rowcount)
{
//$_SESSION['username']=$rowcount['username'];
$user1=$username1;
$pass1=$password1;
session_register("user1");
session_register("pass1");
header("location: main.php");
}
else
{
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Welcome to yachts database </title>
<script type="text/javascript">
function validate()
{
var username=document.getElementById("username").value;
var password=document.getElementById("password").value;
if(username.length==0)
{
alert("Please enter your user name");
document.getElementById("username").focus();
document.getElementById("username").select();
return false;
}
if(password.length==0)
{
alert("Please enter your password");
document.getElementById("password").focus();
document.getElementById("password").select();
return false;
}
submitOK="false";
}
</script>
<?php
include("styles.txt");
?>
</head>
<body onLoad="self.focus();document.login.username.focus()">
<br><br><br><br><br><br><br>
<center><font size=5 color=blue><b>University of ....... </b></font></center>
<center><font size=5 color=blue><b>Yachts Database Project</b></font></center>
<form name="login" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>" onSubmit="return validate()">
<table width="350" border="1" align="center" cellpadding=0 cellspacing=0 bgcolor=#ffffff bordercolor=#ffffff>
<tr>
<th colspan=2 height=30 bgcolor=#050E8C><font size=4 color=#ffffff>Please, enter user name and password</font></th>
</tr>
<tr>
<th bgcolor=#E0E0FF><font size=4 color=#2020ff>User name</font></th>
<td bgcolor=#E0E0FF align=center><input type="text" name="username" id="username" size="30"></td>
</tr>
<tr>
<th bgcolor=#E0E0FF><font size=4 color=#2020ff>Password</font></th>
<td bgcolor=#E0E0FF align=center><input type="password" name=" password" id="password" size="30"></td>
</tr>
<tr>
<td bgcolor=#E0E0FF colspan=2 height=30 align=right><input type="submit" name="login" value=" Login "> <input type="reset" name="reset" value=" Reset "> <a href=register.php class=links>Register</a> </td>
</tr>
<tr>
<td bgcolor=#E0E0FF colspan=2 height=30 align=center><font size=3 color=#ff0000>User name or Password wrong!</font></td>
</tr>
</table>
</form>
</body>
</html>
<?php
}
}
?>
0
sermed
source
to share
6 answers
There are a few things you should change about this code ...
- You don't have to do
!isset()
andempty()
: justempty()
will do - You shouldn't be duplicating HTML for the login page - either put it in a variable or
include()
and use PHP to post the error message there. - You are using legacy HTML like
<center>
and<font>
- replace them with CSS - In javascript
submitOK="false";
should bereturn true;
-
name=" password"
should bename="password"
(whitespace in attributes should be truncated, but I wouldn't want to rely on it. - You put the original input into a mysql query, leaving yourself vulnerable to SQL injection. Use
mysql_escape_string()
- Don't use
session_register
, use$_SESSION
instead. - The title place should be a truly canonical URL (starting with http: //), although every browser I know accepts a relative URL.
- Usability - remove the reset button.
+12
source to share
Out of interest, what does the generated HTML for this form look like?
as
action="<?php $_SERVER['PHP_SELF'];?>"
it should be
action="<?php echo $_SERVER['PHP_SELF'];?>"
else you may find that the generated html is action = "", in which case it cannot process the form as you expect.
+2
source to share
When you're having trouble with a script, sometimes it's easier if you remove all the extra fluff. Try the code below. I cleaned it up a bit.
I haven't tested it, but I still think it is a step forward.
<?php
session_start();
/* If the form has been submitted. */
if (!empty ($_POST))
{
/* If there is not missing data. */
if (empty ($_POST['username']) && empty ($_POST['password']))
{
/* Connect to the database server. */
$connection = mysql_connect ("localhost", "root") or die ("Error: can not connect to the database.");
/* Select the database. */
mysql_select_db ("login") or die ("Error: Can not select the database.");
/* Make the query. */
$login_check = mysql_query ("SELECT * FROM users WHERE username = '" . mysql_escape_string ($_POST['username']) . "' AND password = '" . mysql_escape_string ($_POST['password']) . "' LIMIT 1") or die ("MySQL query error.");
/* If there is a row returned. */
if (mysql_num_rows ($login_check) > 0)
{
echo 'The username and password have matched.';
exit;
}
/* There were no rows returned. */
else
{
$_SESSION['login_error'] = 'Incorrect username or password.';
}
}
/* There missing data. */
else
{
$_SESSION['login_error'] = 'Both the username and password are required.';
}
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Testing Login Form</title>
</head>
<body>
<form name="login" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p>User name: <input type="text" name="username" id="username"></p>
<p>Password: <input type="password" name="password" id="password"></p>
<p><input type="submit" name="login" value="Login"></p>
<?php
if (!empty ($_SESSION['login_error']))
{
echo '<p>', htmlspecialchars ($_SESSION['login_error'], ENT_QUOTES), '</p>';
unset ($_SESSION['login_error']);
}
?>
</form>
</body>
</html>
Please take whatever RoBorg introduces. This is very good advice.
+1
source to share