views:

317

answers:

8

Hi, I'm using this code for login, but when I enter a username and password it just loads the page and the login page again is displayed. Why does this happen?

<?php
    session_start();
    if(!isset($_POST['username']) || !isset($_POST['password']) || empty($_POST['username']) || empty($_POST['password']))
    {
?>
     <html>
     <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
     <title>Welcome to yachts database &nbsp;&nbsp;&nbsp;</title>
     <script type="text/javascript">
     function validate()
     {
      var username=document.getElementById("username").value;
      var password=document.getElementById("password").value;
      if(username.length==0)
      {
       alert("Please enter your user name");
       document.getElementById("username").focus();
       document.getElementById("username").select();
       return false;
      }
      if(password.length==0)
      {
       alert("Please enter your password");
       document.getElementById("password").focus();
       document.getElementById("password").select();
       return false;
      }
      submitOK="false";
     }
     </script>
     <?php
      include("styles.txt");
     ?>
     </head>
     <body onLoad="self.focus();document.login.username.focus()">
     <br><br><br><br><br><br><br>
     <center><font size=5 color=blue><b>University of ....... </b></font></center>
     <center><font size=5 color=blue><b>Yachts Database Project</b></font></center>
     <form name="login" method="post" action="<?php $_SERVER['PHP_SELF'];?>" onSubmit="return validate()">
     <table width="350" border="1" align="center" cellpadding=0 cellspacing=0  bgcolor=#ffffff bordercolor=#ffffff>
     <tr>
      <th colspan=2 height=30 bgcolor=#050E8C><font size=4 color=#ffffff>Please, enter user name and password</font></th>
     </tr>
     <tr>
      <th bgcolor=#E0E0FF><font size=4 color=#2020ff>User name</font></th>
      <td bgcolor=#E0E0FF align=center><input type="text" name="username" id="username" size="30"></td>
     </tr>
     <tr>
      <th bgcolor=#E0E0FF><font size=4 color=#2020ff>Password</font></th>
      <td bgcolor=#E0E0FF align=center><input type="password" name=" password" id="password" size="30"></td>
     </tr>
     <tr>
      <td bgcolor=#E0E0FF colspan=2 align=right><input type="submit" name="login" value="&nbsp;&nbsp;Login&nbsp;&nbsp;">&nbsp;&nbsp;<input type="reset" name="reset" value="&nbsp;&nbsp;Reset&nbsp;&nbsp;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=register.php class=links>Register</a>&nbsp;&nbsp;&nbsp;&nbsp;</td>
     </tr>
     </table>
     </form>
     </body>
     </html>
<?php
    }
    else
    {
     $connect= mysql_connect("localhost","root") or die ("Sorry, Can not connect to database");
     mysql_select_db("login") or die (mysql_error());
     $username1=$_POST['username'];
     $password1=$_POST['password'];
     if($username1 && $password1)
     {
      $query="SELECT * FROM users WHERE username='$username1' AND password='$password1'";
      $result=mysql_query($query,$connect) or die(mysql_error());
      $rowcount=mysql_num_rows($result);
     }
     if($rowcount)
     {
      //$_SESSION['username']=$rowcount['username'];
      $user1=$username1;
      $pass1=$password1;
      session_register("user1");
      session_register("pass1");
      header("location: main.php");
     }
     else
     {
?>
      <html>
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <title>Welcome to yachts database &nbsp;&nbsp;&nbsp;</title>
      <script type="text/javascript">
      function validate()
      {
       var username=document.getElementById("username").value;
       var password=document.getElementById("password").value;
       if(username.length==0)
       {
        alert("Please enter your user name");
        document.getElementById("username").focus();
        document.getElementById("username").select();
        return false;
       }
       if(password.length==0)
       {
        alert("Please enter your password");
        document.getElementById("password").focus();
        document.getElementById("password").select();
        return false;
       }
       submitOK="false";
      }
      </script>
      <?php
       include("styles.txt");
      ?>
      </head>
      <body  onLoad="self.focus();document.login.username.focus()">
      <br><br><br><br><br><br><br>
      <center><font size=5 color=blue><b>University of ....... </b></font></center>
      <center><font size=5 color=blue><b>Yachts Database Project</b></font></center>
      <form name="login"  method="post" action="<?php echo $_SERVER['PHP_SELF'];?>" onSubmit="return validate()">
      <table width="350" border="1" align="center" cellpadding=0 cellspacing=0  bgcolor=#ffffff bordercolor=#ffffff>
      <tr>
       <th colspan=2 height=30 bgcolor=#050E8C><font size=4 color=#ffffff>Please, enter user name and password</font></th>
      </tr>
      <tr>
       <th bgcolor=#E0E0FF><font size=4 color=#2020ff>User name</font></th>
       <td bgcolor=#E0E0FF align=center><input type="text" name="username" id="username" size="30"></td>
      </tr>
      <tr>
       <th bgcolor=#E0E0FF><font size=4 color=#2020ff>Password</font></th>
       <td bgcolor=#E0E0FF align=center><input type="password" name=" password" id="password" size="30"></td>
      </tr>
      <tr>
       <td bgcolor=#E0E0FF colspan=2 height=30 align=right><input type="submit" name="login" value="&nbsp;&nbsp;Login&nbsp;&nbsp;">&nbsp;&nbsp;<input type="reset" name="reset" value="&nbsp;&nbsp;Reset&nbsp;&nbsp;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=register.php class=links>Register</a>&nbsp;&nbsp;&nbsp;&nbsp;</td>
      </tr>
      <tr>
       <td bgcolor=#E0E0FF colspan=2 height=30 align=center><font size=3 color=#ff0000>User name or Password wrong!</font></td>
      </tr>
      </table>
      </form>
      </body>
      </html>
            <?php
     }
    }
?>
+1  A: 

You have a lot of code there for what you're trying to achieve. Without trying to sound condescending, I'd suggest a return to the drawing board, google 'php user authentication' or similar and see if there are some simple examples you can follow.

BrynJ
A: 
<input type="password" name=" password" id="password" size="30">

You have a space in the password field's name, so the value is being stored in $_POST[' password'], not $_POST['password']

Sean Edwards
A: 

i removed the space it displays wrong username or password

+12  A: 

There's a few things you should change about that code...

  1. You don't need to do !isset() and empty(): just empty() will do
  2. You shouldn't be duplicating the HTML for the login page - either put it in a variable or include() it and use PHP to put the error message in there.
  3. You're using deprecated HTML like <center> and <font> - replace them with CSS
  4. In the javascript, submitOK="false"; should be return true;
  5. name=" password" should be name="password" (whitespace in attributes should be trimmed but I wouldn't like to rely on it.
  6. You're putting raw input into a mysql query, leaving yourself vulnerable to sql injection. Use mysql_escape_string()
  7. Don't use session_register, use $_SESSION instead.
  8. A header location should really be a canonical URL (starting http://) although every browser I know of accepts a relative URL.
  9. Usability - take out the reset button.
Greg
mysql_real_escape_string() might be better
Joe Philllips
A: 

You also might want to consider what would happen if I entered a password like this

' or 1=1 or '

Learn to sanitize all inputs which come from outside!

Paul Dixon
+2  A: 

Out of interest what does the generated HTML look like for that form?

as

action="<?php $_SERVER['PHP_SELF'];?>"

should be

action="<?php echo $_SERVER['PHP_SELF'];?>"

else you may find the generated html is action="" in which case it may not process the form as you expect

Re0sless
Actually should be <?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>, like any time you output text to HTML, to stop injection exploits.
bobince
A: 

i dont know why it dosent recognize the user and password

+1  A: 

When ever you're having problems with a script, sometimes it's easier if you strip all of the extra fluff out. Try the code below. I've cleaned it up a little.

I haven't tested it, but I still think it's a step forward.

<?php

    session_start();

    /* If the form has been submitted. */
    if (!empty ($_POST))
    {

     /* If there is not missing data. */
     if (empty ($_POST['username']) && empty ($_POST['password']))
     {
      /* Connect to the database server. */
      $connection = mysql_connect ("localhost", "root") or die ("Error: can not connect to the database.");

      /* Select the database. */
      mysql_select_db ("login") or die ("Error: Can not select the database.");

      /* Make the query. */
      $login_check = mysql_query ("SELECT * FROM users WHERE username = '" . mysql_escape_string ($_POST['username']) . "' AND password = '" . mysql_escape_string ($_POST['password']) . "' LIMIT 1") or die ("MySQL query error.");

      /* If there is a row returned. */
      if (mysql_num_rows ($login_check) > 0)
      {
       echo 'The username and password have matched.';
       exit;
      }

      /* There were no rows returned. */
      else
      {
       $_SESSION['login_error'] = 'Incorrect username or password.';
      }
     }

     /* There's missing data. */
     else
     {
      $_SESSION['login_error'] = 'Both the username and password are required.';
     }
    }

?>  
<html>
    <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
     <title>Testing Login Form</title>
    </head>
    <body>
     <form name="login" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
         <p>User name: <input type="text" name="username" id="username"></p>
         <p>Password: <input type="password" name="password" id="password"></p>
         <p><input type="submit" name="login" value="Login"></p>
         <?php

          if (!empty ($_SESSION['login_error']))
          {
           echo '<p>', htmlspecialchars ($_SESSION['login_error'], ENT_QUOTES), '</p>';
           unset ($_SESSION['login_error']);
          }

     ?>
     </form>
    </body>
</html>

Please take everything RoBorg typed into account. It's very good advice.

Ty