0

So when I login, with the correct ID and password it just shows up as "Wrong ID or Password". Not sure why this is. Have I made a typo? or is it something else? Please help...thank you. Just thought i say that when registering the password is crypted and stored using "crypt". Do i need to define that when defining $pw - is that why it isn't working?

UPDATE = I used this tutorial/website

process_login.php

<?php
$host="localhost"; // Host name 
$username="*******"; // Mysql username 
$password="*******"; // Mysql password 
$db_name="*******"; // Database name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$id=$_POST['ID']; 
$pw=$_POST['Password']; 


// To protect MySQL injection (more detail about MySQL injection)
$id = stripslashes($id);
$pw = stripslashes($pw);
$id = mysql_real_escape_string($id);
$pw = mysql_real_escape_string($pw);

$sql="SELECT * FROM User WHERE ID='$id' and Password='$pw'";
$result=mysql_query($sql);


// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $id and $pw, table row must be 1 row


if($count==1){
    $result=mysql_fetch_array($result);
    $st = $result['Status'];

    //page link on the basis of user Status you can add more  condition on the basis of ur roles in db
    if($st == '0'){
        $link = 'menu_user.php';
    }
    elseif($st == '1'){
        $link = 'menu_staff.php';
    }
    elseif($st == '2'){
        $link = 'menu_admin.php';
    }

   // session Register $id, $pw and redirect 
   $_SESSION["ID"] = $id;
   $_SESSION["Password"] = $pw;
   $_SESSION["Status"] = $st;
   header("Location: ".$link."");
}
else {
    echo "Wrong ID or Password";
    echo"<META HTTP-EQUIV='Refresh' Content='2; URL=http://******/index.php'>";
}

?>
Katey
  • 11
  • 3
  • 3
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 11 '16 at 18:48
  • 6
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Apr 11 '16 at 18:48
  • 1
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Apr 11 '16 at 18:48
  • 2
    You need to match against the encrypted password: `$pw = crypt(stripslashes($pw));` – Alon Eitan Apr 11 '16 at 18:49
  • 1
    $count=mysql_num_rows($result); what does var_dump($count) show? – MacGyer Apr 11 '16 at 18:49
  • @AlonEitan I changed my code to this but it still doesn't work – Katey Apr 11 '16 at 18:55
  • @JayBlanchard Hey i updated it with the website i used. Also changing mysql to mysqli now. thanks – Katey Apr 11 '16 at 18:55
  • @Katey Long shot - maybe you have more than one rows with the same username and password in your DB? Check if `if($count>=1){` works, and make sure you're populating the password the same way you did in the registration part – Alon Eitan Apr 11 '16 at 18:59
  • @AlonEitan so changed my code using both your suggestions and still no luck. I currently have one row on my database as i am still trying it out to see if it works – Katey Apr 11 '16 at 19:02
  • 1
    So I'm the one who has to say: Add error reporting to the top of your file(s) right after your opening PHP tag for example ` – Funk Forty Niner Apr 11 '16 at 19:10

0 Answers0