Php login

My login code doesn’t seem to be properly searching my database. I made a simple database with one username/password to test it out and there is always an error saying that it is the wrong username/password. Can you take a look and help me out?

<?php
$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="login"; // Database name
$tbl_name="registered"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

Is there something wrong with the script? I’m a total php noob and am trying to figure this out as I go.

My answer is prepared assuming that your site is hosted in 000webhost.com.

In your code $host, $username and $db_name are not correctly defined.
With your code, even database connection is not possible, and it’s strange
that you did not get any error message on the database connection failure.
For details, please refer to the following thread posted by me:

It will be helpful if you read more posts in the same thread.

If your site is hosted by other webhosting company, please disregard my answer above.

are you talking about $host, $username and $db_name in themselves, or what is in the quotation marks? I just put generic stuff in the quotation marks so it didn’t have my personal login information… and I was asking the same question in another forum, so didn’t want to have host-specific information in there…
if you mean $host, $username and $db_name themselves… ugh… lol… :slight_smile:

If you added comments that you put generic stuff, it would not have misled me … lol.
Your code looks OK. However, if $mypassword is encrypted you will get the message,
“Wrong Username or Password.” So, please connect to your database or enter into
phpMyAdmin and see if password is encrypted in your table.

I had just noticed that part as well and tried to fix using the following (only posting the part I changed):


// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// encrypt password
$encrypted_mypassword=md5($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);


$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

<?
if($count==1){ 
// Register $myusername, $mypassword and redirect to file "login_success.php" 
session_register("myusername") 
session_register("mypassword"); 
header("location:login_success.php"); 
} 
else { 
echo "Wrong Username or Password"; 
} 
?>

In the recent version of php, $_SESSION variable is used instead of session_registetr().
If you use session_register() in register_globals=Off environment, it will not work.
So, I suggest the following code:


<?
session_start(); // if you want to use session, this should be added at the top.
.
.

if($count == 1) { 
// Register $myusername, $mypassword and redirect to file "login_success.php" 
$_SESSION['myusername'] = $row['username']; 
$_SESSION['mypassword'] = $row['password'];  
header("location:login_success.php"); 
} 
else { 
echo "Wrong Username or Password"; 
} 
?>

Hi,
It works here as I test. It could be something with $_POST or something with your DB schema.
A mistake I made “once” is to have a, say, VARCHAR(20) column and try to store MD5 hashed there (32 chars). The inserts success with a warning and the selects never match anything.

BTW instead of…

// encrypt password 
$encrypted_mypassword=md5($mypassword);

You can

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password=md5('$mypassword')"; 
$result=mysql_query($sql); 

Good luck.

omg i’m such an idiot, hahaha… that was it… I was set to varchar 20 >_>
THANK YOU! Such a stupid easy fix, hahaha… It’s the little things that escape us, ya?