-1

So for some reason if the password is correct it knows and takes the user to the correct user account, but if the pass is wrong, it wont log them in but still takes them to the account page that isn't logged in.

Can someone please help me out to not re-direct them if the password is wrong

<?php
session_start();
//$connection = mysqli_connect('localhost', 'root', '');
$connection = mysqli_connect("pdb18.awardspace.net","*****","******","*****");
if (!$connection){
    die("Database Connection Failed" . mysqli_error($connection));
}
$select_db = mysqli_select_db($connection, '******');
if (!$select_db)
    {
        die("Database Selection Failed" . mysqli_error($connection));
    }
    $username=trim($_POST['username']);
    $password=trim($_POST['password']);

    //$encoded_password = base64_encode($password);

$sql = "SELECT * from register where Username='".$username."' and Password='".$password."'";
$result = mysqli_query($connection, $sql) or die(mysqli_error($connection));
$result = $con->query($sql);
$count = mysqli_num_rows($result);
//echo $count;
    if ($count == 1){
        while($row = $result->fetch_assoc()) {
                $id=$row['id'];
        }

        $_SESSION['User'] = $username;
                $_SESSION['UserId'] = $id;
        echo "valid";
    }
    else{
        echo "Invalid";
    }

?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Dalton
  • 11
  • 1
  • you have shown no password logic in the code you posted, the PHP tag is not currently relevant to the question's body. – Kritner Jan 25 '17 at 17:36
  • @Kritner I added the correct code, sorry. – Dalton Jan 25 '17 at 17:37
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 25 '17 at 17:41
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jan 25 '17 at 17:41
  • You can use `header('Location: login.php'); die();` when the login is invalid. Where `login.php` should be *your* file you want to send the user to. – Xorifelse Jan 25 '17 at 17:44
  • 1
    The problem here, is that you're querying twice with `$result = mysqli_query...` and `$result = $con->query($sql);` and one of which being the wrong variable. – Funk Forty Niner Jan 25 '17 at 17:45
  • and who knows what the html form looks like. – Funk Forty Niner Jan 25 '17 at 17:47
  • @Fred-ii- Look in the [audit trail](http://stackoverflow.com/revisions/41858012/1) of the question – Xorifelse Jan 25 '17 at 17:51
  • @Xorifelse It's pretty obvious as to what the problem is. Then we have the case of the missing HTML form; that's what I take of all this. – Funk Forty Niner Jan 25 '17 at 17:53

1 Answers1

0

Remove this line:

$result = $con->query($sql);

You are using procedural functions, mysqli_*.

This part of code $con->query is OOP style, which you are not using in your code, and overwritting the value o $result variable. You can use both styles, but you should use the same connection, or $connection in your case.

Felippe Duarte
  • 14,901
  • 2
  • 25
  • 29
  • Both statements will not resolve the issue. You can mix procedural and OOP style and running the same query twice will still give the same output. – Xorifelse Jan 25 '17 at 17:41
  • 1
    Agree, but he is using different connections here. – Felippe Duarte Jan 25 '17 at 17:47
  • Yes, and then again expecting an `while($row = $result->fetch_assoc()) {` object here. So instead the fix should be `$connection->query($sql);` and removing the other line. – Xorifelse Jan 25 '17 at 17:49