2

Statement

I would like to do a simple login validation where the condition is the username and password match to a table in MySQL server called admin

What I have tried so far

From the following code, there are undefined indexes in login_check.php

$uname = mysqli_real_escape_string($conn,$_POST['username'] );

and $pass = mysqli_real_escape_string($conn,$_POST['password'] );

login.php (front.php = main page)

<form method="post" action="login_check.php">
        <input type="text" name="username" placeholder="Username" required>
        <span class="error"><?php echo $uname_error; ?></span>
        <input type="password" name="password" placeholder="Password" required>
        <span class="error"><?php echo $pass_error; ?></span>
        <button type="submit" name="Log In" value="Log In">Log In</button> <!--Go to front.php if both username and password are correct.-->
</form>

login_check.php

<?php

    //Establish connection
    include 'connection.php';

    $uname_error = $pass_error ="";

    $uname = mysqli_real_escape_string($conn,$_POST['username'] );
    $pass = mysqli_real_escape_string($conn,$_POST['password'] );
    $sql = "SELECT admin_username,admin_password FROM admins";

    if(isset($_POST['Log In']))
    {
         //Check Username
         if($uname == "username")
         {
                   //Check Password
                   if($pass == "password")
                   {
                   header("location:front.php"); //If username & password are correct -> log in to front.php.
                   }
                   else //$pass != "password"
                   {
                       $pass_error = "Invalid Password.";
                   }
         }
         else //$uname != "username"
         {
              $uname_error = "Invalid Username.";
         }
    }
    mysqli_close($conn);
?>

EDIT 1 : login.php has been fixed.

Improve this question
7
  • 1
    your form is posting to front.php, not login_check.php you include login_check.php before the form has been posted so those values wont be set. you need to reaccesses the structure here Commented Apr 18, 2019 at 4:27
  • 4
    ^ dont do that or what you have, never store plain text passwords Commented Apr 18, 2019 at 4:30
  • check this stackoverflow.com/a/55240307/5463213 Commented Apr 18, 2019 at 4:55
  • password with php php.net/manual/de/function.password-hash.php Commented Apr 18, 2019 at 4:57
  • It is just a simple one. So I would like to make able to work first before go for password hashing. Commented Apr 18, 2019 at 5:06

4 Answers 4

Reset to default
1

Your form's action is front.php and the validation code lies in log_check.php.

The validation code will not execute because, after submit, the form will redirect to front.php.

You can (redirect) set form's action login_check.php and the validations will apply.

Also, redirection will work smoothly.

So, concluding 2 changes:

1) Remove/comment <?php require 'login_check.php'; ?>

2) Change form action From

<form method="post" action="front.php">

To

<form method="post" action="login_check.php">

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I have already fixed login.php but I think that there are could be some syntax errors in the if-else conditions or MySQL statement in login_check.php
1

First, you should store the password as Hash, not in plain text.

I also recommend to use PDO and prepared statments, but this is up to you.

// File: login_check.php

//Establish connection
// include 'connection.php'; 
// PDO Connection String
$pdo = new PDO('mysql:host=localhost;dbname=test', 'username', 'password');

$uname_error = $pass_error ="";    

if(isset($_POST['Log In']))
{
    // Prepares the SQL Statment
    $query = $pdo->prepare('SELECT admin_username, admin_password FROM admins WHERE admin_username = :username');
    // Fils the named parameter with the username and executes the query
    $stmt = $query->execute(['username' => $_POST['username']]);
    // Fetches the result
    $result = $stmt->fetch();

    // Check if the DB has a entry with this username and check if the password matches with the Password Hash
    if($result !== false && password_verify($_POST['password'], $result['admin_password']))
    {
        header("location:front.php"); //If username & password are correct -> log in to front.php.
    else
    {
        $pass_error = "Invalid Username or Password.";
    }
}

Create a Hashed password in PHP

<?php
// Create Password with php default Hashing Algo (bcrypt)
$password = password_hash('password', PASSWORD_DEFAULT);

?>
Improve this answer

Comments

0

In your HTML - 

<?php require 'login_check.php'; ?>
<form method="post" action="front.php">
        <input type="text" name="username" value="username" placeholder="Username" style="font-size: 24px" required>
        <span class="error"><?= $uname_error ?></span>
        <input type="password" name="password" value="password" placeholder="Password" style="font-size: 24px" required>
        <span class="error"><?= $pass_error ?></span>
        <button type="submit" name="Log In" value="Log In">Log In</button> <!--Go to front.php if both username and password are correct.-->
</form>

form action is front.php which should be login_check.php also there is no use of <?php require 'login_check.php'; ?> so you can remove that. you coded very basic login code I think at least you should encrypt the password also, improve your login query.

$error = '';
$result = mysqli_query($conn,"SELECT id, admin_password FROM admins WHERE admin_username = '$uname'");
list($id,$password) = mysqli_fetch_row($result);
if(mysqli_num_rows($result)==1){
    if($password == $pass){
        session_start();
        $_SESSION['userid'] = $id;
        $_SESSION['username'] = $uname;
        header("location:front.php");
    }else{
        $error = "Invalid Password.";
    }
}else{
    $error = "username does not exist";
}
Improve this answer

Comments

-1

If you wanted to check username and password with database, you've never did it. your sql query has never been executed. Although storing plain text password is wrong; but in case of using that, your login_check.php must be something like this:

//Establish connection
include 'connection.php';

$uname_error = $pass_error ="";

$uname = mysqli_real_escape_string($conn,$_POST['username'] );
$pass = mysqli_real_escape_string($conn,$_POST['password'] );
$sql = "SELECT * FROM admins WHERE admin_username = '$uname' AND admin_password = '$pass'";

$result = $conn->query($sql);
if ($result->num_rows > 0) {
    header("location:front.php");
} else {
    die('the combination is wrong');
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.