Login script doesn't work

Question

I'm working on a login script, but it doesn't let me sign in even though the account information are correct. I've used this login script in the past, but it used MySQL, so I changed a couple of things so I would work with MySQLi, but it doesn't.

Config.php

<?php
$con = mysqli_connect("localhost","root","wachtwoord","huizenverkoop");

// Database verbinding controleren
if (mysqli_connect_errno()){
  echo "Kan geen verbinding maken met MySQL: " . mysqli_connect_error();
}
?>

Updated: login.php

include 'config.php';

if(isset($_SESSION['persoon'])!="")
{
    header("Location: index.php");
}
if(isset($_POST['loginnu']))
{
    $gebruikersnaam = mysqli_real_escape_string($con, $_POST['gebruikersnaam']);
    $wachtwoord = mysqli_real_escape_string($con, $_POST['wachtwoord']);

    $gebruikersnaam = trim($gebruikersnaam);
    $wachtwoord = trim($wachtwoord);

    $query = "SELECT id, gebruikersnaam, wachtwoord FROM persoon WHERE gebruikersnaam='$gebruikersnaam'";
    $row = mysqli_query($con,$query);

    $count = mysqli_num_rows($row);

    if($count == 1 && $row['wachtwoord']==md5($wachtwoord)){
        $_SESSION['persoon'] = $row['id'];
        header("Location: index.php");
    }else{
        header("Location: login.php?fout=true");
    }
}

if (@$_GET['fout'] == 'true'){
    $melding = "De ingevulde gegevens kloppen niet.";
    include('alert.php');
}

Gebruikersnaam means username and wachtwoord means password. When I press the button "log in" it sends me to login.php?fout=true. Fout means wrong.

<form method="post">
    <h1 class="box-titel">Inloggen</h1>
        <div class="controle">
            <input type="text"      class="speciaal-tekstveld" name="gebruikersnaam"    placeholder="Gebruikersnaam"    required>
            <input type="password"  class="speciaal-tekstveld"  name="wachtwoord"       placeholder="Wachtwoord"        required>
        </div>
            <input type="submit"    class="grootknop"           name="loginnu"          value="Inloggen">
</form>

Persoon table:

id  int(2)
gebruikersnaam  varchar(50)
wachtwoord  varchar(255)

Could someone please help me?

You need to [fetch the data](http://php.net/manual/en/mysqli-result.fetch-assoc.php). — Qirel, Jun 18 '16 at 10:58
1) in your form include action="" if you are redirecting to the same page.. Make it like
. && 2) $con is not defined as per your code. if it's included than update your with connection code. — Bhavin, Jun 18 '16 at 11:01
@Qirel, I've already tried to fix my error: Fatal error: Cannot use object of type mysqli_result as array on line 23: "if($count == 1 && $row['wachtwoord']==md5($wachtwoord)){", but I can't get it to work, where do I have to put the fetch_assoc()? — TripleDeal, Jun 18 '16 at 11:10

score 1 · Accepted Answer · edited May 23 '17 at 12:31

You'll need to fetch the data, not just query it. You currently are trying to use a MySQLi object, which is the result from the query, this isn't an array with the data from the database, it needs to be fetched first. You'll need something like this

$query = "SELECT id, gebruikersnaam, wachtwoord FROM persoon WHERE gebruikersnaam='$gebruikersnaam'";
$result= mysqli_query($con,$query);
$row = mysqli_fetch_assoc($result); // Fetch the data!
$count = mysqli_num_rows($result);

if($count == 1 && $row['wachtwoord']==md5($wachtwoord)){
     // ....

You can also check for the password in the query, reducing some of your code. Basically, if you can do something in SQL, do it in SQL.

In addition to this, you shouldn't use md5 for storing passwords. PHP has a built-in password_hash() function which is a lot more secure!

You should also take advantage of using prepared statements, to protect your database against SQL-injection attacks.

Reading-material & documentation

It works! Thank you. I'll definitely try the password_hash() function. And I'll also read the documentation. Once again thank you very much! — TripleDeal, Jun 18 '16 at 11:15

score 0 · Answer 2 · answered Jun 18 '16 at 10:55

I think you have a trouble with mysqli connection.

The deal is in this row:

$count = mysqli_num_rows($row);
if($count == 1 ...

You are expecting that will be at least one row in table. If you are shure, that such row is exist in database, I think that $count receiving false because of error.

jeffery_the_wind · Answer 3 · 2016-06-18T11:10:28.970

In your code your $con is not defined, I assume you defined it, so you need to test to make sure you have a connection. Also you are not reporting any errors from your mysqli query. You could try each of these to do those:

http://www.php.net/function.mysqli_connect

//check make sure you have it
if (!$con) {
    echo "Error: Unable to connect to MySQL." . PHP_EOL;
    echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
    echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
    exit;
}

And report errors from mysqli_query, and of course you need to fetch the row, as suggested by Qirel:

$query = "SELECT id, gebruikersnaam, wachtwoord FROM persoon WHERE gebruikersnaam='$gebruikersnaam'";
$result = mysqli_query($con,$query) or die(mysqli_error($con));
$row = $result->fetch_row();

$con is defined in my config.php file. config.php is included above if(isset($_POST['loginnu'])) — TripleDeal, Jun 18 '16 at 11:03
OK then you can just check to make sure you have it there, instead of defining it. — jeffery_the_wind, Jun 18 '16 at 11:10

Bhavin · Answer 4 · 2016-06-18T11:15:23.857

There may be three problems in it.

1) In your form include action="" if you are redirecting to the same page.. Make it like,

 <form method="post" action="">

2) $con is not defined as per your code. if it's included than update your code with config file.

3) Fetch row Like,

$res = $conn -> query("SELECT id, gebruikersnaam, wachtwoord FROM persoon WHERE gebruikersnaam='$gebruikersnaam'");

$row = mysqli_fetch_assoc($res);
echo $row['wachtwoord'];

Also, Start some error log in your script.

Login script doesn't work

4 Answers4