Member Avatar for Rahul47

A simple login script that won't be much trouble for members in here. But query within is getting fired up for wrong credentials.

My Script.

<?php
    require("C:\wamp\www\Onex\connect_db.php");
        if(isset($_POST['login']) && !empty($_POST['login']))
        {
            $uname=$_POST['uname'];
            $pass=$_POST['pass'];

            $login_query="select * from register where username='$uname' and password='$pass'";
            $result=mysqli_query($con,$login_query);
            if($result)
            {
                echo "Login granted. <br>";
                while($row=mysqli_fetch_array($result))
                {
                    echo " Username: ".$row["username"]." and Password: ". $row["password"];
                }
            }
            else
            {
                echo "No such user registered.";
            }
        }
    mysqli_free_result($result);
    mysqli_close($con);

?>

Do tell me if i need to add snaps ?

I need not tell how much I appreciate your help. :-)

Member Avatar for Rahul47

I read in a book that

"Select query returns a result set upon success, whereas Insert query returns a true value upon success"

I am using a SELECT query to check for credentials, but the table also contains other fields( firstname, middlename, lastname ).
Hence my query is returning a RESULT SET.

Do you think that is the problem ?

1) have you added die() function in your database connectivity to check if you are able to connect to database.
Also add die() statement in line 9.

  $result=mysqli_query($con,$login_query) or die(mysqli_error());

This will help you to know if there is any error in database connectivity or your script.

2)
Also,after line 8 echo the sql statement.

  $login_query="select * from register where username='$uname' and password='$pass'";
  echo $login_query;

This will help to know what exactly sql statement was constructed.Please post result of both the amendment and let us know.

"Select query returns a result set upon success, whereas Insert query returns a true value upon success"

This just means that INSERT query returns true if it succeeds to insert the data into database. On the contrary the SELECT query return rows. If query is unsuccessful it returns false in both cases. It is good idea if you check for this (as IIM suggested).

But query within is getting fired up for wrong credentials

What exactly is happening? What do you get?

Do tell me if i need to add snaps ?

Are you talking about spirit that Germans lovingly call snaps? If yes it might help, but do not overdose :-) Just kidin. Yes if you have snapshots that might help.

Other issues with your code:

  • check first if the username posted from the form conforms to basic rules (min and max length, allowed characters etc); if not return the user to the login page
  • escape the strings before sending them to the database!!!!!!!!!!! (you can use mysqli_real_escape_string function)
  • hash the password, do not store the plaintext of it in the database
  • count the rows read from the database. if 0 - no match, if 1 - perfect match, if > 1 - something went wrong (same user saved many times)
  • do not let the user know what went wrong so instead of "No such user registered." echo "Wrong credentials, please try again.". No need to help the potential attackers.
Member Avatar for Rahul47

1) About adding die statement in line 9. Added. There is no problem with connection.

2)After line 8 echo the sql statement. It works just fine.
a84ed7b3c20221442f2f572fd761f31d

As you can see I wont dare to keep that password.

Member Avatar for Rahul47

Other issues with your code:

Those are yet to be done, right now am only testing connection and output.

OK, but does the problem persist (and if yes, can you describe it)?

Member Avatar for Rahul47

OK, but does the problem persist (and if yes, can you describe it)?

Validations are yet to be done, no problem with that.
Correct Password is daniweb. It does not executes statement for incorrect password.

This one for correct password:

0918e2581994388a0e74e99bc446d2d7

For incorrect refer to previous reply.

Member Avatar for Rahul47

A point to be noticed here:

When credentials are correct and returned as result set they are displayed.

4a2b40da96b091f4b07ad59aacd5dea2

But when they are incorrect they are not displayed but it does enter body of if statement as echo "Login Granted" is executed.

709d9ae3c6982e1a1d131267472f9d11

The condition for granting a login is incorrect:

if($result)
{
    echo "Login granted. <br>";
    ...

The fact is that whatever you get with the select query yields a result (even empty resultset). The $result variable is not your result yet, but just a special type - a mysqli_result object that will help you retrieve row(s). So the code

$row=mysqli_fetch_array($result);

retrieves the actual data. You have to compare it to the data entered into the form to confirm the login or at least check (count) if the $row array exist. So something like this:

require("C:\wamp\www\Onex\connect_db.php");
if(isset($_POST['login']) && !empty($_POST['login'])) {
    $uname = mysqli_real_escape_string($_POST['uname']);
    $pass = mysqli_real_escape_string($_POST['pass']);
    $login_query="select * from register where username='$uname' and password='$pass'";
    $result = mysqli_query($con,$login_query);
    if($result)
    {
        $row=mysqli_fetch_array($result);

        if(
            isset($row["username"]) && 
            isset($row["password"]) && 
            $row["username"] == $uname && // this is not strictly necessary
            $row["password"] == $pass // this is not strictly necessary
        ) {
            echo "Login granted. <br>";
            echo " Username: ".$row["username"]." and Password: ". $row["password"];
        } else {
            echo "Incorrect login. Please try again.";
        }
    } else {
        echo "Incorrect login. Please try again.";
    }
}
mysqli_free_result($result);
mysqli_close($con);
Member Avatar for Rahul47

The condition for granting a login is incorrect:

if($result)
{
    echo "Login granted. <br>";

That's what I suspected in beginning.
Well, that solved our problem here.

What do you prefer for hashing password?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.