How to display if the password or login aren't correct

Question

Hello i'm currently working on a login system, but i'm kinda stuck at the point were the php should check and say were the forms aren't filled in or that the entered value is not correct. It shows that "De gebruikersnaam is niet ingevuld!" But it's not validating if the User exists in the Database.

<?php
if(($_SESSION['sessieinlog']) && ($_SESSION['sessiewachtwoord']))
{
    header ("Location: overzicht.php");
}
elseif(($_POST['gebruikersnaam']) && ($_POST['wachtwoord']))
{
    $username = mysql_real_escape_string($_POST['gebruikersnaam']);
    $password = md5(mysql_real_escape_string($_POST['wachtwoord']));
    $checklogin = mysql_query("SELECT * FROM gebruikers WHERE gebruikersnaam = '".$username."' AND wachtwoord = '".$password."'");
    if(mysql_num_rows($checklogin) == 1)
    {
        $row = mysql_fetch_array($checklogin);
        $_SESSION['sessieinlog'] = $username;
        $_SESSION['sessiewachtwoord'] = 1;
        header ("Location: overzicht.php");
    }
    elseif(mysql_num_rows($checklogin) == 0)
    {
        //Gebruikersnaam
        if(empty($username)) 
        {
            print '<p class="form-error">De gebruikersnaam is niet ingevuld!</p>';
        }
        elseif  ($checklogin->gebruikersnaam !== $username)
        {
            print '<p class="form-error">De gebruikersnaam is niet bekend!</p>';            }
        else    
        { 
            $gebruikersnaamakkoord = true;
        }
        //Wachtwoord
        if ($gebruikersnaamakkoord == true)
        {  
            if (empty($inwachtwoord))
            {
            print '<p class="form-error">Het wachtwoord is niet ingevuld!</p>';
            }
            elseif ($checklogin->wachtwoord !== $password)
            {
            print '<p class="form-error">Het wachtwoord is niet correct!</p>';                  }
        }
        }
    }
    else
    {
    }
    ?>

Thanks to anybody who will help this beginner, i'm totally new to PHP and would appreciate any kind of help!

Just a side note: you're using the deprecated `mysql` functions, I'd recommend using `mysqli` or `PDO`. — Luke, Oct 07 '13 at 11:30
Thanks, I already noticed that, but since i'm totally new to this i thought it would be easier to use the old functions because theres more to find about them. — Dylan Smit, Oct 07 '13 at 11:35
tip: 1. Use if(isset($_SESSION['uwVariable'] to check if the session exists. 2. Don't use MD5. Use AT LEAST Sha1+Salt. Or if you want to do it totally correct use Bcrypt.http://stackoverflow.com/a/17073604/1063823 — Duikboot, Oct 07 '13 at 11:36
Thanks Duikboot for your input. I will keep that in mind. Right now im fine with md5 since its just a project for practise. — Dylan Smit, Oct 07 '13 at 11:43
@DylanSmit: You're still _learning_, I take it... then why not learn the current, as in _non-deprecated_ extensions? Sure, PDO and (especially) `mysqli_*` aren't as easy to master, but you're going to _have_ to put in the effort eventually. Don't waste your time learning what is deprecated... there's plenty of documentation on PDO and mysqli_* readily available... and _please_ don't use `md5`... ok, it's not going to be used in a production env, but calling `hash('sha256', $someData.$someSalt);` isn't any harder, is it? — Elias Van Ootegem, Oct 07 '13 at 11:46
I'll agree with you totally Elias, but I already have a hard time with learning PHP/mySQL, I rather understand it first this way to make it not to hard for myself. I'll try later to learn PDO an mysqli. But right now thats not really my priority. — Dylan Smit, Oct 07 '13 at 12:22

Luke · Answer 1 · 2013-10-07T11:40:05.710

0

I'm not sure what you're checking for on this line, you're comparing your query (but not any values) against the posted username:

elseif  ($checklogin->gebruikersnaam !== $username)

$checklogin won't contain a value gebruikersnaam I don't think, this is your query result variable.

edited Oct 07 '13 at 11:40

answered Oct 07 '13 at 11:34

Luke

22,826
31
110
193

score 0 · Answer 2 · answered Oct 07 '13 at 11:37

Try this...

 if      (empty($username)) 
                                {
                                    print '<p class="form-error">De gebruikersnaam is niet ingevuld!</p>';

                                }

                        elseif  ($checklogin->gebruikersnaam !== $username)
                                {
                                    print '<p class="form-error">De gebruikersnaam is niet bekend!</p>';                            }

                        else    
                                { 
                                  echo mysql_error(); // $gebruikersnaamakkoord = true; 

                                }

I think this could help.

rohitr · Answer 3 · 2013-10-07T11:46:27.380

Try This code
I just changed mysql_num_rows to mysql_affeted_rows try this

     if(mysql_affected_rows())
    {
         $row = mysql_fetch_array($checklogin);

        $_SESSION['sessieinlog'] = $username;
        $_SESSION['sessiewachtwoord'] = 1;

        header ("Location: overzicht.php");
    }

    else
    {
          //Gebruikersnaam

                    if      (empty($username)) 
                            {
                                print '<p class="form-error">De gebruikersnaam is niet ingevuld!</p>';

                            }

                    elseif  ($checklogin->gebruikersnaam !== $username)
                            {
                                print '<p class="form-error">De gebruikersnaam is niet bekend!</p>';                            }

                    else    
                            { 
                                $gebruikersnaamakkoord = true;
                            }

        //Wachtwoord

                            if ($gebruikersnaamakkoord == true)
                            {  
                                if (empty($inwachtwoord))
                                {
                                    print '<p class="form-error">Het wachtwoord is niet ingevuld!</p>';
                                }

                                elseif ($checklogin->wachtwoord !== $password)
                                {
                                    print '<p class="form-error">Het wachtwoord is niet correct!</p>';
                                }
                            }

    }

score 0 · Answer 4 · answered Oct 07 '13 at 11:54

Checking if a username & password are entered is something you should do with javaScript (or jQuery).

To check if the entered values are correct, you must connect to your database.

There are different ways to do this. You could fetch all user data where gebruiekrsnaam='username' and check for the password manually, but that's just bad practice

You could launch 2 queries, 1 select only on username, 1 that selects on username and password.

But the third has my preference: just check both username and password at the same time. If you can't find any results, tell the user that "either username or password is incorrect". But do not specify what, so a script can't start guessing passwords for a specific user.

Nabin Kunwar · Accepted Answer · 2013-10-07T12:21:44.573

here

 else if(mysql_num_rows($checklogin) == 0){
// script from here will be called only if $checklogin is empty
// that means you can't call 
else if  ($checklogin->gebruikersnaam !== $username)
//here
}

ok hope it helps

<?php

if (($_SESSION['sessieinlog']) && ($_SESSION['sessiewachtwoord'])) {
header("Location: overzicht.php");
}
if(isset($_POST['submit'])){
if ((!empty($_POST['gebruikersnaam'])) && (!empty($_POST['wachtwoord']))) {
$username = mysql_real_escape_string($_POST['gebruikersnaam']);
$password = md5(mysql_real_escape_string($_POST['wachtwoord']));

 $checklogin = mysql_query("SELECT * FROM gebruikers WHERE gebruikersnaam = '" .$username . "' AND wachtwoord = '" . $password . "'");
if (mysql_num_rows($checklogin) == 1) {
    $row = mysql_fetch_array($checklogin);
    $_SESSION['sessieinlog'] = $username;
    $_SESSION['sessiewachtwoord'] = 1;
    header("Location: overzicht.php");
    } else if (mysql_num_rows($checklogin) == 0) {
    //print username or password is incorrect
    // if you want to know which one is incorrect you ve to do two another query to know  which one is correct
}
} else {
if (empty($_POST['gebruikersnaam'])) {
    print '<p class="form-error">De gebruikersnaam is niet ingevuld!</p>';
} else {
    print '<p class="form-error">Het wachtwoord is niet ingevuld!</p>';
}
}
}
?>

Thanks this seems to work, but its showing 'De gebruikersnaam is niet ingevuld!' already at a refresh or new window of the page without submitting any data, i'm not sure were its coming from. — Dylan Smit, Oct 07 '13 at 12:17
This is because there was no condition that when should this function be called. so now this will be called after submitting the form. Try now — Nabin Kunwar, Oct 07 '13 at 12:23
Ah yeah ofcourse, stupid me -.- . Thanks for all the help it seems to work right now the way i want it to work. Youre the best! — Dylan Smit, Oct 07 '13 at 12:39

How to display if the password or login aren't correct

5 Answers5