-1

I am creating a login form for users in PHP using following method. i am getting a problem. Kindly guide me where i am doing mistake.

Login Form:

<section class="login">
<div class="titulo">Student Result Control System</div>
<form action="do_login.php" method="post">
<input name="user" type="text" id="user" size="25" placeholder="Username" />
<input name="password" type="password" id="password"  size="25" placeholder="Password" />
<div class="olvido">
<div class="col">
<a href="forgot_password.php" style="cursor:hand">Forgot Password?</a>
</div>
</div>
<center><input name="submit" type="submit" value="Login" class="submit"/></center>
</form>
</section>

do_login.php:

<?php
include 'authentication.php';
include 'includes/userdbConnect.php';   
?>
<?php
$my_user = $_POST['user'];
$my_password = $_POST['password'];

if ($my_user == '' || $my_password == '')
    {
    $myURL = 'http://localhost/lesson/error.php?eType=pass';
    header('Location: '.$myURL);
        exit;;
    }


$login = mysql_query( "SELECT * FROM users where `username` = $my_user and `password` =    $my_password " ) or die("SELECT Error: ".mysql_error());
if (mysql_num_rows($login) > 0)
    {
    session_start();    
    $_SESSION['login_status'] = "yes" ;
    $myURL = 'http://localhost/lesson/admin.php';
    header('Location: '.$myURL);
    }
else

    {
        $myURL = 'http://localhost/lesson/error.php?eType=wrong';
        header('Location: '.$myURL);
        exit;
    }

 ?>

Include userdbConnect.php:

<?php
error_reporting(E_ERROR);
global $link;

$servername='localhost';
$dbname='school';
$dbusername='root';
$dbpassword='';
$table_Name="users";

$link = mysql_connect($servername,$dbusername,$dbpassword);

if (!$link) {
die('Could not connect: ' . mysql_error());
}
else 
{
mysql_select_db($dbname,$link) or die ("could not open db".mysql_error());
}

?>

Kindly guide me where i am having mistake as i am not redirected to admin.php page. i want after successful login by the information in database do_login.php should redirect it to admin.php

Muhammad Rizwan
  • 145
  • 1
  • 4
  • 11
  • 3
    Just use `1 OR 1` as username. That should work. Else ask `mysql_error`. If interested in writing less and more reliable code, read up on PDO and parameter binding. – mario Sep 11 '14 at 04:06
  • strings in queries need to be quoted -> `\`username\` = '$my_user' and \`password\` = '$my_password'`. But you should never use unsanitized user data directly in your queries. Also, passwords should not be plain text. – Sean Sep 11 '14 at 04:08
  • [Related](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1), in case you missed it. – The Blue Dog Sep 12 '14 at 18:39

2 Answers2

1

I edit your code now try this.

<?php
    session_start();  
include 'authentication.php';
include 'includes/userdbConnect.php';   

    $my_user = $_POST['user'];
    $my_password = $_POST['password'];

    if ($my_user == '' || $my_password == '')
        {
        $myURL = 'error.php?eType=pass';
        header('Location: '.$myURL);
            exit;;
        }


    $login = mysql_query("SELECT * FROM users where username = '$my_user' and password =  '$my_password'") or die("SELECT Error: ".mysql_error());
    if (mysql_num_rows($login) > 0)
        {  
        $_SESSION['login_status'] = "yes" ;
        $myURL = 'admin.php';
        header('Location: '.$myURL);
        }
    else

        {
            $myURL = 'error.php?eType=wrong';
            header('Location: '.$myURL);
            exit;
        }

     ?>

I hope you find your solution

deemi-D-nadeem
  • 2,343
  • 3
  • 30
  • 71
0
$login = mysql_query( "SELECT * FROM users where `username` = $my_user and `password` =    $my_password " ) or die("SELECT Error: ".mysql_error());

Change this to ,

$login = mysql_query( "SELECT * FROM users where `username` = '".$my_user."' and  `password` =  '".$my_password."'") or die("SELECT Error: ".mysql_error());
coDe murDerer
  • 1,858
  • 4
  • 20
  • 28