-2

Hello i try to make login but it's not working with me i have wrong in syntax the code is below, Please help me

Database Tabel

CREATE TABLE IF NOT EXISTS `users` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`user_name` varchar(150) NOT NULL DEFAULT '',           
`password` varchar(255) NOT NULL DEFAULT '',
`email` varchar(225) NOT NULL,
`mobile` varchar(225) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci AUTO_INCREMENT=2 ;

--
-- Dumping data for table `users`
--

INSERT INTO `users` (`id`, `user_name`, `password`, `email`, `mobile`) VALUES
(1, 'eddy', '32316a4f55bb533b0c12855c2e48b211', 'eddy@example.com', '12345');

The MD5 Password for user eddy is: global123

login.php

<?php
 // Start the session
 session_start();

 // Database information
 $servername = "localhost";
 $username = "root";
 $password = "";
 $dbname = "users";

 try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
echo "Connected successfully"; 
}
 catch(PDOException $e)
{
echo "Connection failed: " . $e->getMessage();
}



 // Check input 
 function checker_input($data) {
   $data = trim($data);
   $data = stripslashes($data);
   $data = htmlspecialchars($data);
   return $data;
 }

 // Login Checker

 // define variables and set to empty values
 $usernameErr = $passwordErr = "";
 $username = $password = "";



 if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']))
 {
// let the user access the main page
header("Location: home.php");
 }


 else(!empty($_POST['username']) && !empty($_POST['password']))
 {


// let the user login

if (empty($_POST["username"])) {
$usernameErr = "Username is required";
   } else {
$username = test_input($_POST["username"]);
   }

     if (empty($_POST["password"])) {
     $passwordErr = "Password is required";
   } else {
     $password = md5 checker_input($_POST["password"]);
   } 


$stmt = $conn->prepare("SELECT * FROM users WHERE user_name:username AND password:password"); 
$stmt->execute();
$userRow=$stmt->fetch(PDO::FETCH_ASSOC);

if($stmt->rowCount() == 1)
{
    $email = $userRow['email'];

    $_SESSION['user_name'] = $username;
    $_SESSION['email'] = $email;
    $_SESSION['mobile'] = $mobile;
    $_SESSION['LoggedIn'] = 1;

    echo "<h1>Success</h1>";

    }
else
{
    echo "<h1>Error</h1>";
    echo "<p>Sorry, your account could not be found.</p>";
}


 }
 ?>

    <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <label>Username:</label><input type="text" name="username"/><?php echo $usernameErr;?><br/>
    <label>Password:</label><input type="password" name="password"/><?php echo $passwordErr;?><br/>
    <input type="submit" name="login" id="login" value="Login" />
    </form>

And also how can i make home page show user his username and email and password home.php

<p>Thanks for logging in!<br>
      You are <?=$_SESSION['username']?> and your email address is <?=$_SESSION['email']?> and mobile <?=$_SESSION['mobile']?>.</p>
Edward
  • 19
  • 3
  • 8
  • Well, `$password = md5 checker_input($_POST["password"]);` isn't going to work. – Jonnix Mar 24 '17 at 16:28
  • @JonStirling all the script don't work – Edward Mar 24 '17 at 16:29
  • 2
    Yes? In part because that's a syntax error. That was kind of my point. – Jonnix Mar 24 '17 at 16:29
  • `else(!empty($_POST['username']) && !empty($_POST['password']))` is also a syntax error. – Jonnix Mar 24 '17 at 16:33
  • 1
    Good lord. You're using PDO, why that `checker_input()` function? You're already using a prepared statement and do **not** use MD5. You want your site/db to remain intact? Don't use MD5. – Funk Forty Niner Mar 24 '17 at 16:35
  • You also shouldn't be escaping passwords. One such as `123'\abc` is perfectly valid and you shouldn't be limiting passwords neither. – Funk Forty Niner Mar 24 '17 at 16:36
  • @Fred-ii- please can u re code the script for me? – Edward Mar 24 '17 at 16:42
  • I'll go one better http://stackoverflow.com/a/29778421/1415724 use that and you'll be in business ;-) you can get rid of the code you're using now. – Funk Forty Niner Mar 24 '17 at 16:46
  • `WHERE user_name:username AND password:password` btw- those are missing `=`'s signs. Using http://php.net/manual/en/pdo.error-handling.php on the query would have thrown you something about those. – Funk Forty Niner Mar 24 '17 at 16:49
  • If you still want this question answered, please provide some details of the error you get. See [ask] and [mcve] –  Mar 24 '17 at 19:28

1 Answers1

0

your very first else has brackets replace that with else { (line 47)

than use this if around line (line 66 - 86) like so because there no need to query the database if the fields are empty place this at line 65 and close it with an } at line 87:

if(!empty($_POST['username']) && !empty($_POST['password'])) {

md5 should have brackets around checker_input function call (line 62) like so:

$password = md5(checker_input($_POST["password"]));

test input function doesn't exist i assume you wanted to use check_input_function here so replace it with that (line 56)

query at (line 66) was not correctly should be:

'SELECT * FROM users WHERE user_name = :username AND password = :password'

variables need to be binded like this (place this under your statement below line 66):

  $stmt->bindParam(':username', $username, PDO::PARAM_STR);
  $stmt->bindParam(':password', $password, PDO::PARAM_STR);

And than once you are logged in $mobile variable is not filled in yet not sure what you want in there (line 76)

herriekrekel
  • 561
  • 6
  • 15
  • `WHERE user_name = ":username" AND password = ":password"` - seriously, in quotes? all that was missing were `=`'s – Funk Forty Niner Mar 24 '17 at 16:48
  • @herriekrekel Please witch code i should replace with $stmt->bindParam(':username', $username, PDO::PARAM_STR); $stmt->bindParam(':password', $password, PDO::PARAM_STR); – Edward Mar 24 '17 at 16:53
  • @Edward needs to be added after the prepare but before the execute – herriekrekel Mar 24 '17 at 16:59
  • @Fred-ii- your right edited it – herriekrekel Mar 24 '17 at 17:08
  • @herriekrekel thank you very very much, but now it's don't show if the username or password empty, please help me – Edward Mar 24 '17 at 17:11
  • @herriekrekel i want use $mobile to show user mobile from database in home page – Edward Mar 24 '17 at 17:16
  • @Edward remove the if(!empty($_POST['username']) && !empty($_POST['password'])) { (line 42) and replace with else { – herriekrekel Mar 24 '17 at 17:21
  • @herriekrekel do you want me remove all this line if(!empty($_POST['username']) && !empty($_POST['password'])) { – Edward Mar 24 '17 at 17:25
  • @Edward yes and place that if above the part where you are selecting the user ($stmt = $conn etc) part(above line 66 and close the if with } at line 87) because theres no need to query the database if username or password is empty – herriekrekel Mar 24 '17 at 17:29
  • @herriekrekel i appreciate your help, why when i open it see username and password requierd – Edward Mar 24 '17 at 17:40
  • @herriekrekel how can i remove this header("Location: home.php"); becuse i don't see it helpful any more, isn't it? – Edward Mar 24 '17 at 17:43
  • @Edward because if you have not submitted your post is still empty so so are $_POST['username'] and $_POST['password'] change the else { (line 43) to else if(isset($_POST['login'])) { to stop this – herriekrekel Mar 24 '17 at 17:44
  • @Edward that's up to you the reason it doesn't do anything at the moment is because it checks $_SESSION['Username'] instead of $_SESSION['user_name'] (line 40 second empty statement) – herriekrekel Mar 24 '17 at 17:50
  • @herriekrekel please how can i remove it? – Edward Mar 24 '17 at 17:52
  • @Edward just remove the if statement, the header and the else beneath it and the closures of both statements – herriekrekel Mar 24 '17 at 17:55
  • @herriekrekel i don't understand do you want me only remove if without (!empty($_SESSION['LoggedIn']) && !empty($_SESSION['user_name'])) or with it? – Edward Mar 24 '17 at 18:01
  • @Edward everything between line 40-48 along with the else closure ( the } sign at line 89) – herriekrekel Mar 24 '17 at 18:04
  • i removed if (!empty($_SESSION['LoggedIn']) && !empty($_SESSION['user_name'])) and else and this sign }, that is correct? – Edward Mar 24 '17 at 18:11
  • @Edward yes and the header you didn't want correct – herriekrekel Mar 24 '17 at 18:16
  • @herriekrekel 10000000000000000000 thanks, is it enough? – Edward Mar 24 '17 at 18:42
  • @Edward your welcome, accept answer please – herriekrekel Mar 24 '17 at 19:12
  • @herriekrekel please i have other problem in validations they are don't working please i need your help and how can i send the file for you – Edward Apr 05 '17 at 15:45
  • ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 22 '17 at 17:13
  • @herriekrekel please how much you take for hour because i want hire you for some codes i will be happy if we work together – Edward Jun 22 '17 at 18:33
  • @Edward no need for that but il be happy to help you out if it's not a crazy amount of work – herriekrekel Jun 23 '17 at 04:07
  • @herriekrekel it's very simple stuff but i can't submit any question here please do you have another way to contact you :) – Edward Jun 25 '17 at 19:04
  • @Edward ye we can discuss further through email: herriekrekel@hotmail.com – herriekrekel Jun 25 '17 at 20:39