php - login script redirects user no matter what -
i'm making login page website connects mysql database stores login details. when submit form redirects information regardless of whether or not login valid. i'm confused wrong.
my form:
<form name="login" action="edit_profile/index.php" method="post"> //redirects page regardless of has been submitted <fieldset> <legend>please enter login details</legend> <label for="username">username</label> <input id="username" name="username" type="text" value="" required/><br> <label for="password">password</label> <input id="password" name="password" type="password" value="" required/><br> <input type="submit" value="submit"/> </fieldset>
the php script:
<?php require_once "connectdb.php";?> <?php if(isset($_post["submit"])){ $username=$_post["username"]; $password=$_post["password"]; $query=mysql_query("select * login_details username='".$username."'and password='".$password."'"); $numrows=mysql_num_rows($query); if($numrows!=0) { while($$row=mysql_fetch_asoc($query)) { $dbusername=$row["username"]; $dbpassword=$row["password"]; } if($user == $dbusername && $pass == $dbpassword) { session_start(); $_session["user_session"]=$user; echo "<pre>"; print_r($_session); echo '</pre>'; } } else { echo "invalid username or password!"; //does not echo } } ?>
there few things wrong code.
one of conditional statement
if(isset($_post["submit"])){...}
your submit button not bear name attribute
<input type="submit" value="submit"/>
modify read as
<input type="submit" name="submit" value="submit"/>
then while($$row
remove 1 of $
and mysql_fetch_asoc
has typo, should read mysql_fetch_assoc
while($row=mysql_fetch_assoc($query))
plus, posted code seems missing closing </form>
tag.
you should check
action
, make sure indeed right url php.you should space out
and
inusername='".$username."'and
may cause issueusername='".$username."' and
, just in case.
then have line:
if($user == $dbusername && $pass == $dbpassword)
$user
, $pass
@ point undefined, may have wanted use $username
, $password
respectively.
add error reporting top of file(s) find errors.
<?php error_reporting(e_all); ini_set('display_errors', 1); // rest of code
sidenote: error reporting should done in staging, , never production.
- also add
or die(mysql_error())
mysql_query()
.
footnotes:
i noticed may storing passwords in plain text. if case, highly discouraged.
i recommend use crypt_blowfish or php 5.5's password_hash()
function. php < 5.5 use password_hash() compatibility pack
.
your present code open sql injection. use mysqli
prepared statements, or pdo prepared statements. password storage, use crypt_blowfish or php 5.5's password_hash()
function. php < 5.5 use password_hash() compatibility pack
.
- ircmaxell posted answer yesterday using
password_hash()
,password_verify()
- have look: https://stackoverflow.com/a/29778421/
Comments
Post a Comment