CODEWITHSUNDEEP
phpauthenticationpasswords
user1325308
user1325308

Reputation: 67

Log in returns blank for incorrect password?

I have been using a tutorial for a registration and log in page. Everything is perfect except when a user inputs an incorrect password.

If no password is entered then the stated error is displayed fine.

If the correct password is entered it logs them in.

If the incorrect password is entered it goes to a blank page?!

I want an incorrect password to display a message just like when the wrong username is entered. I've included my entire login.php code:

include('db.php');

if(!isset($_POST['login'])) {
    include('form.php');
} else {

    if(isset($_POST['user'])&&$_POST['user']==""||!isset($_POST['user'])) {
        $error[] = "Username Field can't be left blank";
        $usererror = "1";
    }

    if(!isset($usererror)) {
        $user = mysql_real_escape_string($_POST['user']);
        $sql = "SELECT * FROM users WHERE user = '$user'";
        if(mysql_num_rows(mysql_query($sql))=="0") {
            $error[] = "Can't find a user with this username";
        }
    }

    if(isset($_POST['pass'])&&$_POST['pass']==""||!isset($_POST['pass'])) {
        $error[] = "password Field can't be left blank";
    }

    if(isset($error)) {
        if(is_array($error)) {
            echo "<div class=\"error\"><span>please check the errors and refill the form<span><br/>";
            foreach ($error as $ers) {
                echo "<span>".$ers."</span><br/>";
            }
            echo "</div>";
            include('form.php');
        }
    }

    if(!isset($error)) {
        $suser=mysql_real_escape_string($_POST['user']);
        $spass=md5($_POST['pass']);//for secure passwords
        $find = "SELECT * FROM users WHERE user = '$suser' AND password = '$spass'";
        if(mysql_num_rows(mysql_query($find))=="1"or die(mysql_error())) {
            session_start();
            $_SESSION['username'] = $suser;
            header("Location: loggedin.php");
        } else {
            echo "<div class=\"warning\"><span>Some Error occured durring processing your data</div>";
        }
    }
}

Upvotes: 1

Views: 1429

Answers (2)

Antony
Antony

Reputation: 15104

if(mysql_num_rows(mysql_query($find))=="1"or die(mysql_error())){

If wrong password is entered, mysql_num_rows(mysql_query($find)) is 0 so it results in die(mysql_error()). But since there is no mysql_error(), you see a blank page.

Try this

$result = mysql_query($find) or die(mysql_error());
if (mysql_num_rows($result) == 1) {
    // proceed
} else {
    // authentication failed
}

EDIT: This is just for illustration purpose only. Use MySQLi or PDO when dealing with MySQL.

Upvotes: 2

user1995997
user1995997

Reputation: 591

The code is little bit confusing for me, consider using this code.

<?php

include('db.php');
if(isset($_POST['login'])) {
     $username = mysql_real_escape_string($_POST['user']);
     $password = md5($_POST['pass']);

     if(empty($username) || empty($password)) {
          echo "Empty username or password.";
     } else {
          mysql_query("SELECT * FROM `users` WHERE `user` = '$user' AND `password.md5` = '$password'");
          if(mysql_num_rows() == 1) {
               // login successfull 
               session_start();
               $_SESSION['username'] = $username;
               header("Location: loggedin.php");
          } else {
               echo "Invalid username or password.";
          }
     }
} else {
     include  ('form.php');
}

?>

Upvotes: 0

Related Questions