0

I recently tried to create a login form for my social networking website. It works but not the way I want it to. All I have to put in is a username and I'm logged in. I want to it to be username and password because of security. I tried before to fix this problem but nothing works. So I want to see if I can get help on here.

signin.php:

<html>
<head>
<title>Interpage</title>
</head>
<body bgcolor="#E6E6FA">

<h1><center>Login</center></h1>

<form action="process.php" method="post">
<p align="center">
<input type="text" name="username" size="35" id="Username" placeholder="Username" /></p>
<br></br>
<p align="center">
<input type="password" name="password" size="35"  id="Password" placeholder="Password" /></p>
<center>
<input type="submit" name="login" value="Log In"/></center>
<h3 style="font-size: 20px"><a href="register.php">Go Back To Home Screen</a></h3>  
</form> 
</body>
</html>

process.php:

<?php
include("db.php");

if ( isset( $_POST['login'] ) ) {

$username = $_POST['username'];
$pw = $_POST['StorePassword'];

$query = mysqli_query($conn, "SELECT * FROM users WHERE username='".$username."'");

if ( mysqli_num_rows($query) > 0 ) {
    while ( $row = mysqli_fetch_assoc( $query ) ) {
    if ( $row['StorePassword'] == $StorePassword ) {
       header("Location: home.php"); 
        } else { 
            echo "Wrong password"; 
        }
    }
} else {
    echo "User not found <br />";
}

if ( !isset($_POST['username'], $_POST['StorePassword']) ) {

die ('You must enter a username and password! <a href= signin.php>Try again</a> ');

}   else {

}
}
?>
Dharman
  • 30,962
  • 25
  • 85
  • 135
  • 2
    Change if ( $row['StorePassword'] == $StorePassword ) TO if ( $row['StorePassword'] == $pw) Also use prepared statements because you are open to SQL Injection – Kostas Mitsarakis Nov 13 '15 at 04:52
  • 3
    And last, but also extremely import, never store plain text passwords. – Ohgodwhy Nov 13 '15 at 04:52
  • I'm not in my registration form , it;'s being hashed –  Nov 13 '15 at 05:06
  • 1
    Possible duplicate of [How to use password\_hash](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) – Dharman Jul 12 '19 at 19:29
  • Your query also needs password: "SELECT * FROM users WHERE username='".$username."' AND password=". $pw – Claudio Jul 12 '19 at 22:20
  • Also you're sending your password via post named password, but trying to retrieve it from StorePassword – Claudio Jul 12 '19 at 22:22

1 Answers1

0

This is a rather simple problem. You can use SESSIONS to get log the user in.

Let's start from the top. At the top of your page, i.e., immediately after <?php add session_start();. This is a PHP function which sends a session header and stores the session ID for the current context. Now, you have access to persistent data-storage for the client to identify him as logged in/out. The idea is to store some sort of variable to show the user is logged in.

After this line

if ( $row['StorePassword'] == $StorePassword ) {

    ....

    $_SESSION[ 'logged_in' ] = true;
    $_SESSION[ 'user_name' ] = $username;

// ... continuing your logic

Now, since that's done, you can check for that in your home.php file. In your home, add the following line at the top of the page:

if ( $_SESSION['logged_in'] && isset( $_SESSION['user_name'] ) {
    header("Content-type: text/html");
} else {
    die( "The user is not logged in. Click <a href=\"login.php\">here</a> to login" );
}

And you have a very simple login system. You can modify it according to your liking! :)

weirdpanda
  • 2,521
  • 1
  • 20
  • 31