I keep getting wrong username and password with login form

Question

I have scanned my code countless of times and cant figure this out at all. everytime i hit login, it return wrong password and username.

admin.php

<div class="container">
    <div class="row">
        <div class='col-md-3'></div>
        <div class="col-md-6">
            <div class="login-box well">
                    <form action="connectivity.php" method="post">
                        <legend>Sign In</legend>
                        <div class="form-group">
                            <label for="user">Username</label>
                            <input type="text" id="user" name="user" placeholder="Username"class="form-control" />
                        </div>
                        <div class="form-group">
                            <label for="pass">Password</label>
                            <input type="text" id="pass" name="pass" placeholder="Password" class="form-control" />
                        </div>
                        <div class="form-group">
                            <a href="index.php" class="btn btn-link pull-right">Return to Login</a>
                            <input name="submit" type="submit" class="btn btn-warning btn-login-submit btn-block m-t-md" value="Login" />
                        </div>
                    </form>

            </div>
        </div>
        <div class='col-md-3'></div>
    </div>
</div>

connectivity.php

<?php 
session_start();

define('DB_HOST', 'localhost'); 
define('DB_NAME', 'login-invoices'); 
define('DB_USER','root'); 
define('DB_PASSWORD',''); 

$con=mysql_connect('localhost', 'username','password', '') or die("Failed to connect to MySQL: " . mysql_error()); $db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); 
/*
$ID = $_POST['user']; 
$Password = $_POST['pass']; 
*/
function SignIn() 
{ 
    session_start(); //starting the session for user profile page 
    if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text 
    { 
        $user = $_POST[user];
        $pass = $_POST[pass];

            $query = "SELECT * FROM login where username = '$user' AND password = '$pass'";
            $query = mysql_query($query) or die(mysql_error()); 
        $row = mysql_fetch_array($query) or die(mysql_error());
        if(!empty($row['user']) AND !empty($row['pass'])) 
        {  
            header("location: Home.html");

        } else { 
            echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY..."; 
            } 
        } 
    } 
    if(isset($_POST['submit'])) 
    { 
        SignIn(); 
    } 

?>

here is a picture of my DB

Here is the table set up

[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Oct 21 '15 at 19:08
If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Oct 21 '15 at 19:08
You really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Oct 21 '15 at 19:08
You have the wrong field names for your return rows ```if(!empty($row['user']) AND !empty($row['pass'])) ``` should be ```if(!empty($row['username']) AND !empty($row['password'])) ``` mysql_fetch_array also needs to be mysql_fetch_assoc with the way you're wanting to access the query. You can do a print_r of $row to see the problem with the row as you have it currently. — DaOgre, Oct 21 '15 at 19:11
You shouldn't use `or die()` on the `mysql_fetch_array` line. That will make it die when there are no matching rows, instead of going into the `if`. — Barmar, Oct 21 '15 at 19:12
thanks for the help guys, im still new to mysql and php so this all helps — Charles L., Oct 21 '15 at 19:15

Fenton · Accepted Answer · 2015-10-21T19:19:36.390

5

You have some missing quotes:

$user = $_POST[user];
$pass = $_POST[pass];

Fixed version:

$user = $_POST['user'];
$pass = $_POST['pass'];

And as Chris mentioned, your column names are incorrect here:

 if(!empty($row['user']) AND !empty($row['pass']))

According to your SQL they should be:

 if(!empty($row['username']) AND !empty($row['password']))

And lastly, have a quick online search for "SQL Inject Attacks":

$query = "SELECT * FROM login where username = '$user' AND password = '$pass'";

If I were to log in with a username of:

'; SELECT * FROM login LIMIT 1; --

I'm pretty sure I'd gain access to your system!

edited Oct 21 '15 at 19:19

answered Oct 21 '15 at 19:08

Fenton

241,084
71
387
401

thanks for the quick response however i added the quotes and its still giving me the error – Charles L. Oct 21 '15 at 19:10
Row names are also incorrect. Should be `username` and `password`. `$row['user']) AND !empty($row['pass']` – chris85 Oct 21 '15 at 19:11
PHP automatically adds the quotes, along with printing a warning. – Barmar Oct 21 '15 at 19:11
1

you guys nailed it :) thank you, changing row pass to password fixed it, sometimes it just takes another pair of eyes lol thank you – Charles L. Oct 21 '15 at 19:13

I keep getting wrong username and password with login form

1 Answers1