-2

So i have created a user_login.php page (consisting of html, a login form), the form is :

<form method="post" action="scripts/login.php">

<p>Username: <input type="text" name="Username" /></p>

<p>Password: <input type="password" name="Password" /></p>

<p><input type="submit" value="Sign In" /></p>

</form>

As well as this, I have a login.php script (see below)

<?php
   include "scripts/connection.php";
   session_start();

   if($_SERVER["REQUEST_METHOD"] == "POST") {
      // username and password sent from form 

      $myusername = mysqli_real_escape_string($link,$_POST['Username']);
      $mypassword = mysqli_real_escape_string($link,$_POST['Password']); 

      $sql = "SELECT * FROM Customer WHERE Customer_Username = '$myusername' and Customer_Password = '$mypassword'";
      $result = mysqli_query($link,$sql);
      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
      $active = $row['active'];

      $count = mysqli_num_rows($result);

      // If result matched $myusername and $mypassword, table row must be 1 row

      if($count == 1) {
         $_SESSION['Username'] = $myusername;

         header("location: Welcome.php");
      }else {
         $error = "Your Username or Password is invalid";
      }
   }
?>

Now i know my connection.php works, as I use it elsewhere on my site.

My problem is, when i browse the user_login.php page in my browser,when I click on the "sign in" button, it takes me to www.website.com/login.php file, but the entire page is blank (white). This happens no matter if i input something into the username and password fields or leave them blank.

Obviously what i require is, if the fields are blank or dont match records within the DB, an error message is displayed. If the logins do match then they are redirected to the Welcome.php file.

Not 100% if the login.php script is missing anything so any help would be much appreciated.

UPDATE

After adding :

session_start();
error_reporting(E_ALL);
ini_set('display_errors', 1);
include "scripts/connection.php";

to the top of my code, im getting a long error message now, instead of a pure white screen:

Warning: include(scripts/connection.php): failed to open stream: No such file or directory in scripts/login.php on line 5

Warning: include(): Failed opening 'scripts/connection.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in scripts/login.php on line 5

Notice: Undefined variable: link in scripts/login.php on line 10

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in /scripts/login.php on line 10

Notice: Undefined variable: link in /scripts/login.php on line 11

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in /scripts/login.php on line 11

Notice: Undefined variable: link in /scripts/login.php on line 14

Warning: mysqli_query() expects parameter 1 to be mysqli, null given in /scripts/login.php on line 14

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, null given in /scripts/login.php on line 15

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in /scripts/login.php on line 18

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Tipping44
  • 281
  • 4
  • 16
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 17 '17 at 22:22
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jan 17 '17 at 22:22
  • 1
    Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Jan 17 '17 at 22:23
  • What is your `$_SERVER["REQUEST_METHOD"]`? Have you echoed it out? – Jay Blanchard Jan 17 '17 at 22:24
  • @JayBlanchard sorry, when you ask what it is? What do you mean? Novice sorry.... – Tipping44 Jan 17 '17 at 22:58
  • What is the value of `$_SERVER["REQUEST_METHOD"]`? Add `echo $_SERVER["REQUEST_METHOD"];` prior to your `if` statement. My bet is that you never enter the `if` condition. – Jay Blanchard Jan 17 '17 at 23:00
  • Start with the first error and many of the others will disappear. – Jay Blanchard Jan 17 '17 at 23:10
  • @JayBlanchard Im obviously missing something what is apparently clear to more experienced users sorry, you say the first error, which is failed to open stream, which you say is a duplicate. On line 5 in my login.php file it says include "script/connection.php"; When you suggest its a duplicate, do you mean to say i have included it when there is no need too ? – Tipping44 Jan 17 '17 at 23:22
  • A duplicate here means the question has already been asked and answered, likely several times. The linked answer will generally have the information you need to fix you code and make things work properly. – Jay Blanchard Jan 17 '17 at 23:25
  • see jay, literally exactly this reason why you don't just mark it a dupe in the middle of it. – ATechGuy Jan 17 '17 at 23:28
  • @JayBlanchard Ah okay, i noticed another commenter and yourself mentioned about the first error that is shown, misread what you were talking about, I will take a look at your answer now. Thanks – Tipping44 Jan 17 '17 at 23:28
  • my first line should help you as well Tipping, have a look if you are still having trouble – ATechGuy Jan 17 '17 at 23:29
  • @keaner , not sure if you saw my reply to your firstline answer, just incase: Yeah the connection and login.php are in the scripts folder, At the top of the login.php file I have included the connection.php script and nothing else, At the top of my user_login.php file i have included both the connection and login.php files (Tried deleting and adding only one at a time but same error message) hope im not being silly and missing something obvious? – Tipping44 Jan 17 '17 at 23:31
  • If they are in the same folder do what @keaner said and change the line to `include "connection.php";` – Jay Blanchard Jan 17 '17 at 23:34
  • @keaner #Okay finally understood what you meant by changing to "connection.php"; That has cleared all errors and redirects me to my welcome page on correct db entry!!! Thank you – Tipping44 Jan 17 '17 at 23:40
  • Now that you have your code working @Tipping44 please pay attention to the first 2 comments left to you. Both of these are about safety and security of your code. – Jay Blanchard Jan 17 '17 at 23:41
  • If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* – Jay Blanchard Jan 17 '17 at 23:42
  • @JayBlanchard just added what you suggested and all that displays is POST You may be rolling your eyes, trying to understand best i can sorry! – Tipping44 Jan 17 '17 at 23:42
  • I was still trying to troubleshoot what was going on in your code once you had the connection problem fixed. You can ignore that now and pay attention to the comments left about security. In addition, as I have done, upvote @keaner's answer and then mark it as accepted when you are allowed to. – Jay Blanchard Jan 17 '17 at 23:43
  • lol, this thread is gold, glad it all worked out for you, thx for the accept :) – ATechGuy Jan 18 '17 at 00:23

1 Answers1

1

If your scripts/connection.php is in the same folder as your login.php then the include should only be 

include "connection.php";

one thing, your session_start(); needs to be the first line in your php, before including scripts. That is probably throwing an error (which you cant see), so the page is white blank.

Add this after the session_start(), then reload the page. So full code for the top should look like below

session_start();
error_reporting(E_ALL);
ini_set('display_errors', 1);
include "scripts/connection.php";

UPDATE

to trouble shoot id remove this part

if($count == 1) {
     $_SESSION['Username'] = $myusername;

     header("location: Welcome.php");
  }

and try this

if($count == 1) {
     echo "It WORKS";
  }

this will allow you to see if this condtion is being met, if so, the redirect is the issue

user229044
  • 232,980
  • 40
  • 330
  • 338
ATechGuy
  • 1,240
  • 8
  • 13
  • Thanks for the reply, just added that in and the same thing occurs. No difference whatsoever :( Sorry, just reloaded the page and i am now being shown a huge error starting with Warning: include(scripts/connection.php): failed to open stream: No such file or directory in /www/scripts/login.php on line 5 Warning: include(): Failed opening 'scripts/connection.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') – Tipping44 4 mins ago edit – Tipping44 Jan 17 '17 at 22:50
  • take out session start completely to see if the page shows up, the fact that no error even showed is concerning, something in your php setup seems off, also post your new edited coded fully if you can – ATechGuy Jan 17 '17 at 22:52
  • header('Location: http://www.example.com/'); should be first before any output. all this relates to php throwing errors you cant see (white page) – ATechGuy Jan 17 '17 at 22:58
  • Do you mean for me to relocate this to the top of my page also? If so, as soon as i then click on my "user_login.php" page (as if a user is logging in) it redirects me to the "welcome.php" right away. – Tipping44 Jan 17 '17 at 23:02
  • I've updated my answer, have a look, to trouble shoot where its dying, try above. Yeah i meant edit your original question and provide all code as it sits now if you can, the header remark was to replace the header you had later on in the file, in the same spot, sorry for the confusion – ATechGuy Jan 17 '17 at 23:03
  • Thanks for your input, just tried swapping out what you suggested and getting the same long error message. updated my original post with error message – Tipping44 Jan 17 '17 at 23:04
  • what long error message? you said page was blank? – ATechGuy Jan 17 '17 at 23:05
  • Righjt there, first comment to you @keaner *"Warning: include(scripts/connection.php): failed to open stream: No such file or directory in /www/scripts/login.php on line 5 Warning: include(): Failed opening 'scripts/connection.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear')"* – Jay Blanchard Jan 17 '17 at 23:06
  • if your scripts/connection.php is in the same folder as your login.php then the include should only be include "connection.php"; – ATechGuy Jan 17 '17 at 23:08
  • @keaner yeah the connection and login.php are in the scripts folder, At the top of the login.php file I have included the connection.php script and nothing else, At the top of my user_login.php file i have included both the connection and login.php files (Tried deleting and adding only one at a time but same error message) hope im not being silly and missing something obvious? – Tipping44 Jan 17 '17 at 23:16
  • its only a "dupe" becuase we fixed his other problem, god forbid some other person might like to see the chain of events – ATechGuy Jan 17 '17 at 23:17
  • Just because it is a dupe doesn't mean it will be deleted. As a matter of fact it will likely be kept around just so that people can see the chain of events @keaner. Nothing personal was meant be the dupe or the edit to your answer. – Jay Blanchard Jan 17 '17 at 23:19