username and password validation in php mysql

Question

What I want to be able to do is: When a user enters their username and password in the form on the index.html page, if they match what is in the DB, then they get sent to the next page; userlogin.php. If their username or password is incorrect then they are asked to re-enter their details on the index.html page, and displaying an error like, "Your username is Incorrect" or "Your password is Incorrect" above the form text box. I can paste this code if required.

Can I change this text font color as well, to red for example?

This is the code I currently have for the userlogin.php page

<?php
mysql_connect("Server", "root", "Gen") or die("Couldn't select database.");
mysql_select_db("generator") or die("Couldn't select database.");

$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM users WHERE Username = '$username' AND Password = '$password' ";
$result = mysql_query($sql) or die(mysql_error());
$numrows = mysql_num_rows($result);
if($numrows > 0)
   {
    echo 'Your in';
   }
else
   {
    echo 'Your not in';
   }
   ?>

Answer 1

There as sooo many things wrong with this code:

1- you have an SQL injection hole.

If I enter ' or 1=1 LIMIT 1 -- as a username, I will always get access, no matter what.
Change your code into.

$username = mysql_real_escape_string($_POST['username']); 
$password = mysql_real_escape_string($_POST['password']); 

See: How does the SQL injection from the "Bobby Tables" XKCD comic work?

2- you are storing the password in the clear
This is a huge no no. Combined with the SQL-injection hole, it will take a hacker 5 minutes to get a list of all usernames and passwords on your site.

Store the password as a salted hash.

I like to use the username as the salt.

You store the password hash using:

INSERT INTO users (username, passhash) 
VALUES ('$username', SHA2(CONCAT('$password','$username'),512))

And you test the user credentials using:

SELECT * FROM users 
WHERE username = '$username' AND 
passhash = SHA2(CONCAT('$password','$username'),512)

See: Secure hash and salt for PHP passwords
And: What is "salt" when relating to MYSQL sha1?

BTW, use SHA2 with a 512 keylength, SHA1 is no longer secure, and MD5 is even more broken.

3- A login can only ever match against 1 user
This code:

if($numrows > 0) 

Makes no sense, if you get 2 rows out of the database, that's a clear sign someone has hacked your system. The test should be:

if($numrows > 1) { //send email to sysadmin that my site has been hacked }
else if ($numrows = 0) { echo "wrong username or password" }
else { echo "welcome dr. Falken" }

4- Don't die if there's an error, call a routine to restart the connection or something

This code:

$result = mysql_query($sql) or die(mysql_error());    

Is fine in testing, but in production you should do something like

$result = mysql_query($sql);
if ($result) {
  //do the deed
} else {
  //call error recovery routine
}

The error recovery routine should reconnect to the server, log a error in the logbook. Is the error cannot be fixed, it should send an email to the sysadmin and only then die the server.

Answer 2

First of all, your code is vulnerable to SQL injection. Use PDO and prepared statements to fix this. Second of all, you're appearantly storing usernames unencrypted. This is very unsafe. Use a hashing function to encrypt the passwords, and encrypt the submitted password before running the query to get a match. Coloring the output is simple:

echo '<span style="color:red">Your not in</span>';

And use sessions to actually log the user in. After successfully querying the user table for the username/password combination, store the returned user_id in the $_SESSION variable. On each page that needs to be secured, just check for the existence of $_SESSION['user_id']; if it isn't there, your user needs to login so redirect him to the login form.

That should about do the trick for ya ;)