PHP login page does not detect form data correctly

Question

I'm trying to create a login system that allows people to login. You can register on a different webpage and enter the credentials on this page to login and get redirected to another site but despite entering the correct credentials, I don't get redirected at all and it just uses my 'else' code. I tried moving the following piece of code in and out of the other if statements but that didn't help. I also tried changing the operators from && to || on the code below but that just gave me a blank screen. I also tried detecting whether $_POST('userName') and $_POST('password') were empty and give an alert when they are but that also didn't work at all.

Currently I'm not worried about the security yet because it's not for commercial use.

if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == 1) {
  header('Location: (link to different site)');
}

My HTML code:

<!DOCTYPE html>
<html>
  <head>
    <link rel="stylesheet" type="text/css" href="index.css">
        <link rel="preconnect" href="https://fonts.gstatic.com">
        <link href="https://fonts.googleapis.com/css2?family=PT+Serif:wght@700&display=swap" rel="stylesheet">
        <link rel="preconnect" href="https://fonts.gstatic.com">
        <link href="https://fonts.googleapis.com/css2?family=Raleway&display=swap" rel="stylesheet">
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta http-equiv="X-UA-Compatible" content="ie=edge" />
    <title>title</title>
    <link rel="stylesheet" href="login.css">
  </head>

  <body>

    <header>
      <h1 style="color: #333; font-family: PT Serif; font-size: 30px">title</h1>
    </header>

    <section class="container">
      <form method="post" action="index.php" id="login">

        <h1 id="h1" style="font-family: Raleway; color: #333">Login</h1>
        <div class="msg">
        </div>

        <div>
          <label for="name" style="font-family: Raleway;">Name:</label>
          <input class='input' type="text" id="name" name="userName">
        </div>

        <div>
          <label for="password" style="font-family: Raleway;">Password:</label>
          <input class='input' type="password" id="password" name="password">
        </div>

        <div>
          <label for="register" style="font-family: Raleway;"><a href="link">No account yet?</a></label>
        </div>

        <input class="btn" type="submit" value="Submit">
      </form>

    </section>
  </body>
</html>

index.php:

<?php
session_start();
$error = '';

$link = mysqli_connect('localhost','dbuser','dbpass','dbname');

if(empty(trim($_POST["userName"]))){
  $error = '<script>alert("Please fill in both your username and password.")</script>';
}

elseif(empty(trim($_POST["password"]))){
  $error = '<script>alert("Please fill in both your username and password.")</script>';
}

elseif(isset($_POST['userName']) && isset($_POST['password'])) {
    $userName = $_POST['userName'];
    $password = $_POST['password'];

    $sql_u = "SELECT Username FROM table WHERE Username='$userName'";
    $sql_p = "SELECT Password FROM table WHERE Password='$password'";

    $res_u = mysqli_query($link, $sql_u);
    $res_p = mysqli_query($link, $sql_p);

    if($userName == $res_u && $password == $res_p) {
        $_SESSION['userName'] = $userName;
        $_SESSION['password'] = $password;
        $_SESSION['loggedin'] = 1;
  }  
}

if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == 1) {
  header('Location: link');
}

else {
<!DOCTYPE html>
<html>
  <head>
    <link rel="stylesheet" type="text/css" href="index.css">
        <link rel="preconnect" href="https://fonts.gstatic.com">
        <link href="https://fonts.googleapis.com/css2?family=PT+Serif:wght@700&display=swap" rel="stylesheet">
        <link rel="preconnect" href="https://fonts.gstatic.com">
        <link href="https://fonts.googleapis.com/css2?family=Raleway&display=swap" rel="stylesheet">
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta http-equiv="X-UA-Compatible" content="ie=edge" />
    <title>title</title>
    <link rel="stylesheet" href="login.css">
  </head>

  <body>

    <header>
      <h1 style="color: #333; font-family: PT Serif; font-size: 30px">title</h1>
    </header>

    <section class="container">
      <form method="post" action="index.php" id="login">

        <h1 id="h1" style="font-family: Raleway; color: #333">Login</h1>
        <div class="msg">
        </div>

        <div>
          <label for="name" style="font-family: Raleway;">Name:</label>
          <input class='input' type="text" id="name" name="userName">
        </div>

        <div>
          <label for="password" style="font-family: Raleway;">Password:</label>
          <input class='input' type="password" id="password" name="password">
        </div>

        <div>
          <label for="register" style="font-family: Raleway;"><a href="link">No account yet?</a></label>
        </div>

        <input class="btn" type="submit" value="Submit">
      </form>

    </section>
  </body>
</html>

`header('Location: ...');` should always be followed by `exit;` in PHP. — β.εηοιτ.βε, Apr 01 '21 at 17:59
Does this answer your question? [php - Should I call exit() after calling Location: header?](https://stackoverflow.com/questions/3553698/php-should-i-call-exit-after-calling-location-header) — β.εηοιτ.βε, Apr 01 '21 at 17:59
`SELECT Password FROM table WHERE Password='$password'` ? Your table is actually called `table`? What if two users use the same password? Do the username and password check in _one_ query — brombeer, Apr 01 '21 at 18:01
Don't ever store plain text passwords. PHP has [password_hash](https://www.php.net/manual/en/function.password-hash.php) and [password_verify](https://www.php.net/manual/en/function.password-verify.php) — brombeer, Apr 01 '21 at 18:04
`I'm trying to create a login system that allows people to login.` - this code in the question has multiple significant security problems, don't ignore them. e.g. using the password `blah' OR 1 = 1` you can log in as anyone. Some keywords to search for: `prepared statements`, `sql injection` [password_hash](https://www.php.net/manual/en/function.password-hash.php), [password_verify](https://www.php.net/manual/en/function.password-verify.php). It's kinda beyond the scope of stack overflow to address all the flaws - Don't make this up as you go along, find a tutorial/example to follow :). — AD7six, Apr 01 '21 at 19:03
If you're making a login system, then the whole point of it is to enforce security. You can't then say that you're not very concerned about security. It makes a nonsense of the whole effort. Besides, correctly-implemented login systems aren't that easy to create - a few well-used, well-tested frameworks and plugins - maintained by experienced people with relevant expertise in this field - have done this the right way, fixed the bugs, and are re-usable. Don't re-invent the wheel, use an existing turnkey solution and spend your time adding some unique value to your application instead. — ADyson, Apr 01 '21 at 22:27
Why beginners or near-beginners constantly pop up here with their hopeless "make a login system" projects is beyond me. It's not a topic for beginners. Use your imagination and think of something genuinely useful to implement, but where a few little security issues wouldn't be the end of the world. A login system is not that place. — ADyson, Apr 01 '21 at 22:28

PHP login page does not detect form data correctly

0 Answers0