CODEWITHSUNDEEP
phpmysql
Foda
Foda

Reputation: 58

I have the same error message when i put any error in the file

when I submit this form i have the same error message all the time . even if i put right or wrong password or don't put password or i write the name of the data base wrong . all of this wrongs i have the same error message : Please enter a username and password . so what is the problem . and i am sure about my fields on data base .

    <?

    session_start();
    $username = $_POST['username'];
    $password = $_POST['password'];


    if ($username && $password)
    {

        $connect = mysql_connect("localhsost","root","adminffpass") or die("Couldent connet to database ");
        mysql_select_db("login") or die("No data base found ");

        $query = mysql_query("SELECT * FROM users WHERE username='$username'");

        $numrows = mysql_num_rows($query);

        if ($numrows !=0)
        {

            while ($row= mysql_fetch_array($query)) 
            {

                $dbusername = $row['username'];
                $dbpassword = $row['password'];

            }

            if ($username == $dbusername && $password==$dbpassword)
            {
                echo "Login successul .<a href='memeberarea.php'>Click to enter member area</a>";
                $_SESSION['username'] = $dbusername;
            }
            else
                echo "incorrect  password  ";

        }
        else
           die ("That user name dosent exist");

   }
   else
     die ("Please enter a username and password");


    ?>

Upvotes: 1

Views: 88

Answers (2)

Funk Forty Niner
Funk Forty Niner

Reputation: 74220

Even if i put right or wrong password or don't put password or i write the name of the data base wrong . all of this wrongs i have the same error message

Typo: localhsost for one thing. Plus, you may not be able to use mysql_ functions, since they are deprecated and may not be available for you to use.

Plus, your POST arrays may be failing, so make sure your form is a POST method and that your elements bear the name attribute.

I.e.:

<input type="text" name="username">

etc.

if i write wrong name database i don't have any error . why ?"

Because, you're just using or die("Couldent connet to database ") instead of getting the real error mysql_error()

mysql_connect() => http://php.net/manual/en/function.mysql-connect.php

<?php
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
?>

Your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements.

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

Plus, instead of if ($username && $password) you should be using a conditional !empty() for your inputs.

It is also best to use proper and consistent bracing throughout your code.

else{
    echo "incorrect  password  ";
}

etc.

  • Not doing so, could have adverse effects.

Storing a password hash

Using PDO with prepared statements and password_hash():

Just use a library. Seriously. They exist for a reason.

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}

Upvotes: 3

ern0
ern0

Reputation: 3172

You may print some information for yourself, so you could see, what's wrong. Change the following line:

echo "incorrect  password  ";

to something like this:

echo "incorrect  password, u:[$username/$dbusername] p:[$password/$dbpassword]";

If you will see that detailed message, you will know, what's wrong.

EDIT: of course, don't left pwd printing in your final code :)

Upvotes: 0

Related Questions