-2

I'm trying to get data from the database for my login page, but can't seem to do so. It keeps on telling me that my username or password is wrong.

I'm a beginner in this field and got my codes from youtube.

form1.html

<!DOCTYPE html>
<html>
<head>
 <title>Login Site</title>
</head>
<body>
<form method="POST" action="connect2.php">
Username : <input type="text" name="username"><br><br>
Password : <input type="password" name="password"><br>
<input type="submit" value="Login" name="submit">
</form>
</body>
</html>

connect2.php

<?php
$con = mysqli_connect("localhost", "root", "") or die("Failed to connect to MySQL."); 
mysqli_select_db($con, "abc") or die("Database does not exist."); 
//require ('sql_connect.php');
if (isset($_POST['submit'])){
    $username=mysqli_escape_string($_POST['username']);
    $password=mysqli_escape_string($_POST['password']);
    if (!$_POST['username'] | !$_POST['password']) {
        echo ("<SCRIPT LANGUAGE='JavaScript'>
            window.alert('You did not complete all of the required fields')
            window.location.href='form1.html'
        </SCRIPT>");
        exit();
    }
    $sql= mysqli_query("SELECT * 
                        FROM `account` 
                        WHERE username = $username 
                        AND password = $password ");
    if(mysqli_num_rows($sql) > 0) {
        echo ("<SCRIPT LANGUAGE='JavaScript'>
            window.alert('Login Succesfully!.')
            window.location.href='form1.html'
        </SCRIPT>");
        exit();
    }else{
        echo ("<SCRIPT LANGUAGE='JavaScript'>
            window.alert('Wrong username or password. Please re-enter.')
            window.location.href='form1.html'
        </SCRIPT>");
        exit();
    }
}else{
}
?>

I think there is something wrong with the PHP coding since I keep on getting the 'wrong username and password' message.

UPDATE: screenshot of my database https://i.stack.imgur.com/FWXc9.jpg

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
lacheng
  • 1
  • 1
  • use `logical OR operator(||)` insted of `|` – KUMAR Sep 27 '19 at 07:33
  • Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) attack. Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) You should consider using [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenated values – RiggsFolly Sep 27 '19 at 09:03
  • Good code indentation would help us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly Sep 27 '19 at 09:05
  • Plain text passwords are a very bad idea: PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them for the safety of your users. – RiggsFolly Sep 27 '19 at 10:17

2 Answers2

2

As quick fix, put quotes around the username and password variables :

SELECT * FROM `account` WHERE username = '$username' AND password = '$password'

Some tips to improve this code :

  • use prepared statements to avoid SQL injections
  • don't store password in plain text, hash it (with a salt)

Also, you have an error in your first condition, you use | which is a bitwise operator, instead of || which is the logical OR operator

Joffrey Schmitz
  • 2,393
  • 3
  • 19
  • 28
-2

I think

"SELECT * FROM account WHERE username = $username AND password = $password "

should be

"SELECT * FROM account WHERE username = \"$username\" AND password =\"$password\""

DuhVir
  • 447
  • 1
  • 4
  • 15