php - I have the same error message when i put any error in the file -
when submit form have same error message time . if put right or wrong password or don't put password or write name of data base wrong . of wrongs have same error message : please enter username , password . problem . , sure fields on data base .
<? session_start(); $username = $_post['username']; $password = $_post['password']; if ($username && $password) { $connect = mysql_connect("localhsost","root","adminffpass") or die("couldent connet database "); mysql_select_db("login") or die("no data base found "); $query = mysql_query("select * users username='$username'"); $numrows = mysql_num_rows($query); if ($numrows !=0) { while ($row= mysql_fetch_array($query)) { $dbusername = $row['username']; $dbpassword = $row['password']; } if ($username == $dbusername && $password==$dbpassword) { echo "login successul .<a href='memeberarea.php'>click enter member area</a>"; $_session['username'] = $dbusername; } else echo "incorrect password "; } else die ("that user name dosent exist"); } else die ("please enter username , password"); ?>
even if put right or wrong password or don't put password or write name of data base wrong . of wrongs have same error message
typo: localhsost 1 thing. plus, may not able use mysql_ functions, since deprecated , may not available use.
plus, post arrays may failing, make sure form post method , elements bear name attribute.
i.e.:
<input type="text" name="username"> etc.
if write wrong name database don't have error . why ?"
because, you're using or die("couldent connet database ") instead of getting real error mysql_error()
mysql_connect() => http://php.net/manual/en/function.mysql-connect.php
<?php $link = mysql_connect('localhost', 'mysql_user', 'mysql_password'); if (!$link) { die('could not connect: ' . mysql_error()); } echo 'connected successfully'; mysql_close($link); ?> your present code open sql injection. use mysqli prepared statements, or pdo prepared statements.
i noticed may storing passwords in plain text. if case, highly discouraged.
for password storage, use crypt_blowfish or php 5.5's password_hash() function. php < 5.5 use password_hash() compatibility pack.
add error reporting top of file(s) find errors.
<?php error_reporting(e_all); ini_set('display_errors', 1); // rest of code sidenote: error reporting should done in staging, , never production.
plus, instead of if ($username && $password) should using conditional !empty() inputs.
it best use proper , consistent bracing throughout code.
else{ echo "incorrect password "; } etc.
- not doing so, have adverse effects.
storing password hash
using pdo prepared statements , password_hash():
- pulled ircmaxell's answer: https://stackoverflow.com/a/29778421/
just use library. seriously. exist reason.
- php 5.5+: use
password_hash() - php 5.3.7+: use
password-compat(a compatibility pack above - all others: use phpass
don't yourself. if you're creating own salt, you're doing wrong. should using library handles you.
$dbh = new pdo(...); $username = $_post["username"]; $email = $_post["email"]; $password = $_post["password"]; $hash = password_hash($password, password_default); $stmt = $dbh->prepare("insert users set username=?, email=?, password=?"); $stmt->execute([$username, $email, $hash]); and on login:
$sql = "select * users username = ?"; $stmt = $dbh->prepare($sql); $result = $stmt->execute([$_post['username']]); $users = $result->fetchall(); if (isset($users[0]) { if (password_verify($_post['password'], $users[0]->password) { // valid login } else { // invalid password } } else { // invalid username }
Comments
Post a Comment