1

I have login form with username and password.If i am entering wrong username or password it is showing blank page not displaying any error messages.it just showing in URL as website.com/Admin/#. Here is the code which i have written:

<form action="#" method="post" role="form" enctype="multipart/form-data">
    <?php if ( $msg != '' ) { ?>
        <div class="alert alert-success">
            <?php echo $msg; ?>
        </div>
    <?php } ?>
    <div class="form-group col-md-12 col-sm-12 col-xs-12">
        <div class="field-label">Email</div>
        <input type="text" placeholder="User Name" id="username" name="user_name" required>
    </div>
    <div class="form-group col-md-12 col-sm-12 col-xs-12">
        <div class="field-label">Password</div>
        <input type="password" placeholder="Password" id="password" name="password" required>
    </div>
    <div class="form-group col-md-12 col-sm-12 col-xs-12">
        <div class="button-box">
            <input type="submit" name="submit_login" value="Sign In" class="theme-btn btn-style-one">
        </div>
</form>

PHP Code:

<?php
session_start();
include 'db.php';
if ( isset( $_POST['submit_login'] ) ) {
    if ( !empty( $_POST['user_name'] ) && !empty( $_POST['password'] ) ) {
        $get_user_name = mysqli_real_escape_string( $conn, $_POST['user_name'] );
        $get_password = mysqli_real_escape_string( $conn, $_POST['password'] );
        // Encrypting the password from text//
        $get_password = md5( $get_password );
        $sql = "SELECT * FROM users WHERE username = '$get_user_name' AND user_password = '$get_password'";
        if ( $result = mysqli_query( $conn, $sql ) ) {
            while ( $rows = mysqli_fetch_assoc( $result ) ) {
                if ( mysqli_num_rows( $result ) == 1 ) {
                    $_SESSION['user'] = $get_user_name;
                    $_SESSION['password'] = $get_password;
                    $_SESSION['user_role'] = $rows['user_role'];
                    if ( $_SESSION['user_role'] === 'admin' ) {
                        header( 'Location:property-list.php' );
                    }
                } else {
                    $msg = 'User name or Password was Wrong!';
                    $msgclass = 'bg-danger';
                }
            }
        } else {
            $msg = 'There is somekind of Database Issue!';
            $msgclass = 'bg-danger';
        }
    } else {
        $msg = 'User name or Password was empty!';
        $msgclass = 'bg-danger';
    }
} else {
}
?>

If i give correct username and password its working fine their was no issue in that the only problem is with if i enter wrong username or password or else submitting directly without giving any data it is not displaying message

Improve this question
3
  • You are not 'echo'ing your message. Commented Jul 25, 2019 at 11:11
  • @jeff i am passing the variable message in my form right Commented Jul 25, 2019 at 11:12
  • It all depends upon where your php code is. If it is before the html then it will display. If it is after the html then the message wont be displayed. (Oh I missed where you were echoing the message in the html code - sorry about that). Commented Jul 25, 2019 at 11:16

5 Answers 5

Reset to default
1

You need to echo the $msg all the time remove the if in the form then declare mgs and msgclass before the submit action then just echo

<?php 
    session_start();
    include 'db.php';

    $msg =""; // declare message
    $msgclass =""; //classs

    if(isset($_POST['submit_login'])){
        if(!empty($_POST['user_name']) && !empty($_POST['password'])){
            $get_user_name = mysqli_real_escape_string($conn,$_POST['user_name']);
            $get_password = mysqli_real_escape_string($conn,$_POST['password']);
           // Encrypting the password from text//
           $get_password=md5($get_password);
            $sql = "SELECT * FROM users WHERE username = '$get_user_name' AND user_password = '$get_password'" ;
       if($result = mysqli_query($conn,$sql)){
        while($rows = mysqli_fetch_assoc($result)){
            if(mysqli_num_rows($result) == 1){
                $_SESSION['user'] = $get_user_name;
                $_SESSION['password'] = $get_password;
                $_SESSION['user_role'] = $rows['user_role'];
                if($_SESSION['user_role'] === 'admin'){
                    header('Location:property-list.php');
                }
                }
             else{
                 $msg = 'User name or Password was Wrong!';
                 $msgclass='bg-danger';
                 }
                 }
                  }
            else {
                $msg = 'There is somekind of Database Issue!';
                 $msgclass='bg-danger';
            }
        } else {
        $msg = 'User name or Password was empty!';
                 $msgclass='bg-danger';
        }
    }else {
    }
    ?>

Then

<form action="#" method="post"  role="form" enctype="multipart/form-data">
    <div class="alert <?php echo $msgclass;?>">
        <?php echo $msg;?>
    </div>            
    <div class="form-group col-md-12 col-sm-12 col-xs-12">
        <div class="field-label">Email</div>
        <input type="text"  placeholder="User Name" id="username" name="user_name" required>
    </div>
    <div class="form-group col-md-12 col-sm-12 col-xs-12">
        <div class="field-label">Password</div>
        <input type="password" placeholder="Password" id="password" name="password" required>
    </div>
    <div class="form-group col-md-12 col-sm-12 col-xs-12">
    <div class="button-box">
        <input type="submit" name="submit_login" value="Sign In" class="theme-btn btn-style-one">  
    </div>
</form>

NB : You should use prepared statements to prevent sql injections. Never use md5() as means of password encrption rather use password_hash() and password_verify()

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

First you need to target your php file in the action attribute of your form

action="/path/tofile.php"

Most user friendly validation is done with javascript, so the page doesn't have to reload, but if you really want to use PHP, one way to do it is with sessions.

You can add the $msg and $msgclass to the session variable:

$_SESSSION['response'] = ['message' => $msg, 'class' => $msgclass];

After that use header function to redirect back to your html:

header('Location: /pathtoformfile');
exit;

Note: be careful not to echo or print anything in the script before header.

Finally, in the form file do this:

// add this at THE TOP of the file
session_start();

// check session variable
if(!empty($_SESSION['response']) {
   // display the message
   echo $_SESSION['response']['message'];
}
Improve this answer

Comments

1

Redirect to your login page again. Suppose, LoginForm.php

Updated code:

<?php session_start();
include 'db.php';
if(isset($_POST['submit_login']))
{
    if(!empty($_POST['user_name']) && !empty($_POST['password']))
    {
        $get_user_name = mysqli_real_escape_string($conn,$_POST['user_name']);
        $get_password = mysqli_real_escape_string($conn,$_POST['password']);
       // Encrypting the password from text//
       $get_password=md5($get_password);
        $sql = "SELECT * FROM users WHERE username = '$get_user_name' AND user_password = '$get_password'" ;
        if($result = mysqli_query($conn,$sql))
        {
            while($rows = mysqli_fetch_assoc($result))
            {
                if(mysqli_num_rows($result) == 1)
                {
                    $_SESSION['user'] = $get_user_name;
                    $_SESSION['password'] = $get_password;
                    $_SESSION['user_role'] = $rows['user_role'];
                    if($_SESSION['user_role'] === 'admin')
                    {
                        header('Location:property-list.php');
                    }
                }
                else{
                    $msg = 'User name or Password was Wrong!';
                    $msgclass='bg-danger';
                }
            }
        }
        else {
            $msg = 'There is somekind of Database Issue!';
            $msgclass='bg-danger';
        }
    } else {
    $msg = 'User name or Password was empty!';
            $msgclass='bg-danger';
    }
    header("Location:Login.php");
}
?>
Improve this answer

1 Comment

i am adding the php code and html code in the same page the y we need to add location and all the problem is it is not displaying the message wrighrt
1

If the user enters a wrong password or blank one you are not redirecting it to anywhere.

see updated code.

<?php session_start();
include 'db.php';
if(isset($_POST['submit_login'])){
    if(!empty($_POST['user_name']) && !empty($_POST['password'])){
        $get_user_name = mysqli_real_escape_string($conn,$_POST['user_name']);
        $get_password = mysqli_real_escape_string($conn,$_POST['password']);
       // Encrypting the password from text//
       $get_password=md5($get_password);
        $sql = "SELECT * FROM users WHERE username = '$get_user_name' AND user_password = '$get_password'" ;
   if($result = mysqli_query($conn,$sql)){
    while($rows = mysqli_fetch_assoc($result)){
        if(mysqli_num_rows($result) == 1){
            $_SESSION['user'] = $get_user_name;
            $_SESSION['password'] = $get_password;
            $_SESSION['user_role'] = $rows['user_role'];
            if($_SESSION['user_role'] === 'admin'){
                // redirect to members area or login area
                header('Location:property-list.php');
                exit();
            }
            }
         else{
             $msg = 'User name or Password was Wrong!';
             $msgclass='bg-danger';
             }
             }
              }
        else {
            $msg = 'There is somekind of Database Issue!';
             $msgclass='bg-danger';
        }
    } else {
    $msg = 'User name or Password was empty!';
             $msgclass='bg-danger';
    }
}else {
}
// redirect to error page or login page..
header("redirect:error.php?msg=$msg&c=$msgClass");
exit();
?>

Some developers pass the variables with get others set a session and read the session. Is your choice I prefer sessions, but if you use GET or POST please always sanitize the user input.

On the query you should update your code to use prepared statements to eliminate possibilities of SQL injection.

On the password you are using MD5 if you are going to use it or either hashing protocol you should salt it so your passwords are stronger in case your sql is expose and the hashes are obtain.

$salt = "s0meRand0mStr1ng..Long..difficult...etc."; // must be longer than 20 chars at least.
$get_password=md5($get_password . $salt);
Improve this answer

1 Comment

<form action="#" method="post" shows that the form is processed in the same page so no need to redirect to another page u could just display the error within the page
0

This worked fine for me 

<?php session_start();
include 'db.php';

if(isset($_POST['submit_login'])){
    if(!empty($_POST['user_name']) && !empty($_POST['password'])){
        $get_user_name = mysqli_real_escape_string($conn,$_POST['user_name']);
        $get_password = mysqli_real_escape_string($conn,$_POST['password']);
        // Encrypting the password from text//
        $get_password=md5($get_password);
        $sql = "SELECT * FROM users WHERE username = '$get_user_name' AND user_password = '$get_password' limit 0,1" ;
        $result = mysqli_query($conn,$sql);
        $row = mysqli_fetch_assoc($result);
        if(mysqli_num_rows($result) == 1){
            $_SESSION['user'] = $get_user_name;
            $_SESSION['password'] = $get_password;
             $_SESSION['user_role'] = $row ['role'];
            if($_SESSION['user_role'] === 'admin'){
                header('Location:property-list.php');
                exit;
            }

         }
         else{
            header('Location:index.php?msg=1');
            exit;
         }
    } else {
            header('Location:index.php?msg=3');
            exit;
    }
}

if(isset($_GET['msg']) && !empty($_GET['msg'])){
    if($_GET['msg']==1){
        $msg = 'User name or Password was Wrong!';
        $msgclass='bg-danger';
    }else if($_GET['msg']==2){
        $msg = 'User name or Password was empty!';
        $msgclass='bg-danger';
    }

}
?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.