-3

I created a simple login portal but there are some issues and I tried several solutions.

This is my login.php file.

<!DOCTYPE html>
<html>
<head>
<title>Login Page</title>
    <link rel="short icon" href="sopraicon.ico">
<link rel="stylesheet" href="login.css">
 <body>
<form method="POST" action="process.php" >
<img src="soprasteria.png" alt="sopra steria" width="20%" align="center"> 

<img src="share.png" alt="share" id="img1" align="right">
       <a href="">  <img src="search.png" id="img1" align="right"></a>
 <input type="text" class="search" name="search" placeholder="Search.."><br>
 <br> <div class="sidediv"></div>
 <p class="data">Sign in to Sopra Steria</p><br>
  <h3 class="h3">User Login</h3>
 <br><img src="Login.jpg" alt="login iamge" height="150px" width="170px" 
  align="left" style="padding-left:160px"><br>&emsp;&emsp;<b>Username:</b>
 <br>&emsp;&emsp;<input type="text" placeholder="User Name" name="username" 
  required id="text">
 <br>&emsp;&emsp;<b>Password:</b><br>&emsp;&emsp;<input type="password" 
  placeholder="Enter Password" name="password" required id="text" min="8">
    <br>&emsp;&emsp;<button type="submit" id="logbtn" 
  name="submit">Login</button><br>
  <div class="bottomdiv"></div>

  </form>
  </body>
  </head>
  </html>

This is my process.php file

    <?php
     $username = $_POST['username'];
     $password = $_POST['password'];

     $username = stripcslashes($username);
     $password = stripcslashes($password);
      $username = mysql_real_escape_string($username);
    $password = mysql_real_escape_string($password);
       mysql_connect("localhost","root","");
     mysql_select_db("login");
    $result = mysql_query("select * from users where username='$username' 
     and password='$password'") or die("failed to query 
     database".mysql_error());
    $row = mysql_fetch_array(result);
     if($row['username']==$username && $row['password']== $password){
    echo"login success";
   }
    else{
   echo"failed";
   }
       ?>

but I get error on WAMP server as you see in the image. Please help me.. Thank you.

Error Image

PdC
  • 1,438
  • 10
  • 25
Priya
  • 92
  • 1
  • 13
  • Make the mysql connection *before* the `mysql_real_escape_string`. by the way, consider upgrading your code to `mysqli` as `mysql` was deprecated in PHP 5.5.0. – Itay Ganor Jun 24 '17 at 11:16
  • For best results on Stack Overflow, please don't post images of error messages, especially when they're too small to read. It's a good idea, when you get error messages, to study them and figure out what they mean. PHP has been out there for about two decades, and the error messages are very informative. – O. Jones Jun 24 '17 at 11:52
  • 2
    Also, with respect, in these days of rampant cybercrime **only a fool does his own password verification**. Please, PLEASE, read this. http://php.net/manual/en/faq.passwords.php – O. Jones Jun 24 '17 at 11:54
  • Possible duplicate of [The definitive guide to form-based website authentication](https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) – Progman Jun 24 '17 at 17:25

4 Answers4

1

You to have to check if there is any record with this details in your table instead of matching user input with fetch data. you have to check

if(mysql_num_rows ==1)
{
return true; //or redirect user to home page
}
else
{
return false;
}
Jawahar Sharma
  • 127
  • 9
0

first you get a warning telling you to abandon the mysql* function in favor of the mysqli functions.

Then you get the error the connection to the database using the standard user and no password failed.

connect to the database before you use mysql_real_escape_string. When no connection is made when using the escape function, php will try to connect using a default user, which most often fails.

-- apart from that: stripslashes is a function one should not need, as the magic-quotes it tries to eleminate was removed from php years ago. Now, you messup a password when it would contain en \

And the password: it's not stored in plain text, is it?

Ivo P
  • 1,682
  • 1
  • 4
  • 14
0

i tested your code it will working fine, but the error you are facing because you are using PHP 5.4 the function mysql_escape_string() is deprecated . So you need to do some changes in mysql driver file.Go to system\database\drivers\mysql\mysql_driver.php and find the escape_str function and replace the functions code with this code: 

 public function escape_str($str, $like = FALSE)
 {
  if (is_array($str))
  {
   foreach ($str as $key => $val)
      {
    $str[$key] = $this->escape_str($val, $like);
      }

      return $str;
     }

  $str = is_resource($this->conn_id) ? mysql_real_escape_string($str, $this->conn_id) : addslashes($str);

  // escape LIKE condition wildcards
  if ($like === TRUE)
  {
   return str_replace(array($this->_like_escape_chr, '%', '_'),
      array($this->_like_escape_chr.$this->_like_escape_chr, $this->_like_escape_chr.'%', $this->_like_escape_chr.'_'),
      $str);
  }

  return $str;
 }
Sunil Rajput
  • 898
  • 9
  • 19
0

try this

$password=$_POST['password'];
$username = stripcslashes($username);
$password = stripcslashes($password);
if(!empty($username)&&!empty($password))
{   
$query="SELECT username,password FROM users WHERE username='$username' 
    AND password='$password' ";


if($query_run= mysqli_query($conn, $query)){
    $query_num_rows= mysqli_num_rows($query_run);
    if($query_num_rows==NULL){   
        echo "Invalid Username/password combination";
    }   elseif($query_num_rows==1){
        while ($row=mysqli_fetch_assoc($query_run)) {

            $username=$row['username'];
            $password=$row['password'];
            echo' you are logged in <br>';
            echo 'Welcome'.$username;


        }


        }

    }
}else{
echo 'Please fill all fields';
}        



}
}
chrisjnr
  • 36
  • 6