0

Im slowly getting insane. This time i want that it isnt possible to klick the login in button and get ridirected without typed in a username or a password.

I tryed this:

Redirect after login example 1

Ridrect after login example 2

Until i ended up with my written code:

<?php 
session_start();
require('../includes/connect_to_db.php'); 

if (isset($_POST['username']) and isset($_POST['password'])){

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";

$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);

if (empty($_POST['username'])||
   empty($_POST['password'])){
    $fmsg = "Invalid Login Credentials.";
    }   

if(mysqli_num_rows($result)>0){

$_SESSION['username'] = $username;
header("Location:Loginpage.php");

}else{
$fmsg = "Invalid Login Credentials.";
}
}
if (isset($_SESSION['username'])){

$username = $_SESSION['username'];
}

?>

When i type anything in the login form its says :"Invalid Login Credentials" but when i let them empty and just klick on "Login" he redirect to the shown page. I lose my mind i cant find the damn mistake i made.

Devi
  • 89
  • 1
  • 10
  • 1
    YOu can do this by javascript... – GYaN Dec 21 '17 at 10:17
  • Whats the link between your second redirect attempt and the PHP developers manual? – Nico Haase Dec 21 '17 at 10:18
  • 1
    Your code is vulnerable for a sql injection. [What is a SQL injection?](https://stackoverflow.com/questions/601300/what-is-sql-injection) – Philipp Maurer Dec 21 '17 at 10:19
  • Why don't you check for `strlen($_POST['username']) > 0`? – Nico Haase Dec 21 '17 at 10:19
  • I would highly suggest investing your time learning how to use PDO within your PHP applications, I find it much easier to use. – FluxCoder Dec 21 '17 at 10:19
  • Does it just seem like you store the raw user passwords in the database, or do you really do that? Because you definitely should not. – Philipp Maurer Dec 21 '17 at 10:21
  • Im just learning so this is nothing for work or something like that... – Devi Dec 21 '17 at 10:22
  • 1
    It's nice you're trying to learn how to do a login page, but you should first learn about good programming practices and security precautions.. Your code is extremely vulnerable and you'd lose any court trial if someone got damaged because of your site. If you're learning, do it properly so you don't learn bad habits. This is bad on too many levels and I mean this to protect you, not to bring you down. Be responsible as a developer, you'll be doing yourself a favor. – walther Dec 21 '17 at 10:24
  • Maybe i could use something from wordpress or joomla as a loginscript/ form? Would that be save? And if i am good enough i could write my own login script.@walther – Devi Dec 21 '17 at 10:27

3 Answers3

0
if (isset($_POST['username']) and isset($_POST['password']) and $_POST['username']!='' and $_POST['password']!=''){

Why don't you try something like this.

pr1nc3
  • 6,575
  • 3
  • 15
  • 29
0

You can check if the user's entry is empty or not by doing one of the following:

Method One

if(strlen($_POST['username']) > 0){
    //Then user's input is not empty
}

Method Two

if(empty($_POST['username']) == true){
    //Then user's input is not empty
}

Method Three

if($_POST['username'] !== ""){
    //Then user's input is not empty
}

In my own PHP applications I'd use both method one and two.

FluxCoder
  • 1,156
  • 7
  • 21
  • 1
    `if(empty($_POST['username']) == true){` I guess you wanted to use `!==` not `==`. Also since the return type is boolean you could just use `if(!empty($_POST['abc']){` – Philipp Maurer Dec 21 '17 at 10:24
  • @PhilippMaurer Thanks for telling me, and I've found that using the empty function with just `!` caused issues. – FluxCoder Dec 21 '17 at 10:29
0

you should check that the inputs are not empty first :

if(!empty($_POST['username']) && !empty($_POST['password']) )

or as pr1nc3 answer , something like :

if (isset($_POST['username']) && isset($_POST['password']) && $_POST['username']!='' && $_POST['password']!=''){

also check the variable $result by var_dump($result); to check the query results

because in your case it will create the session anyways as long as there are results from the query.

Kareem Essawy
  • 470
  • 4
  • 12