Need help with a PHP Login application

Hey Guys,

I am creating a login application using PHP/Phpmyadmin and I am having an issue. I found another program online and I am mimicking its function, but I am unable to get it to work. Basically I have a database named ‘vendors’ with a table called ‘users’. I want the login app to pull the username and password from my database and approve/reject depending on if the user is found. I have been working on this for some time and have not been able to figure it out. Any help is much appreciated.

<?php session_start(); ?>
<?php include('dbcon.php'); ?>
<html>
<head>
<title>LOGIN PAGE</title>
<link rel="stylesheet" type="text/css" href="style2.css">
<link rel="shortcut icon" href="img/favicon.ico" type="image/x-icon">
</head>
<body>
<div class="form-wrapper">
  
  <form action="#" method="post" autocomplete="off">
    <h3>Login here</h3>
	
    <div class="form-item">
		<input type="text" name="username" required="required" placeholder="Username" autofocus required></input>
    </div>
    
    <div class="form-item">
		<input type="password" name="password" required="required" placeholder="Password" required></input>
    </div>
    
    <div class="button-panel">
		<input type="submit" class="button" title="Log In" name="login" value="Login"></input>
    </div>
  </form>
  <?php
	if (isset($_POST['login']))
		{
			$username = mysqli_real_escape_string($con, $_POST['user']);
			$password = mysqli_real_escape_string($con, $_POST['pass']);
			
			$query 		= mysqli_query($con, "SELECT * FROM users WHERE  password ='$password' and username ='$username'");
			$row		= mysqli_fetch_array($query);
			$num_row 	= mysqli_num_rows($query);
			
			if ($num_row > 0) 
				{			
					$_SESSION['id']=$row['id'];
					header('location:home.php');
					
				}
			else
				{
					echo 'Invalid Username and Password Combination';
				}
		}
  ?>
  <div class="reminder"><br><br>
    <p>Not a vendor? <a href="register.php">Register Here</a></p>
    
  </div>
  
</div>

</body>
</html>

Hi mattwinnier welcome to the forum

You didn’t explain what problem you’re having or what error message(s) you’re getting. But I can take a guess.

The string “password” is a “reserved” word.
https://dev.mysql.com/doc/refman/8.0/en/keywords.html

I tend to avoid using reserved words for identifier names, but for now you could try enclosing the name. eg.

... WHERE  `password` ='$password' and ... 

Sorry about that. I am not getting an error message, I am trying to get help/suggestions with the functionality of the application. I am a newb to coding and could use some help to finishing my application. I appreciate your last suggestion. It made sense. I will update that identifier. Thanks

1 Like

You should not store passwords plaintext, but hash them, so that if anyone ever gets a hold of your database at least they can’t read the passwords.

See https://securepasswords.info/php

3 Likes

I’m not sure the structure of your page is going to work. The usual way of processing forms is:

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
  // process form input
} else {
  // display form
}

Can you expand on this? What does it not do that it should, or what does it do that it should not?

As @Gandalf said, you should have your processing code before the form is displayed - when the user presses “submit” on your form, it will re-draw the form before it tries to process the login information that the user has provided. Because stuff (your HTML) has already been sent to the browser, your header() relocate on successful login will not work, and you should see a “headers already sent” error message.

But if that’s not the problem, can you add some detail about the issue please?

1 Like

The first things I would ask is “What do you want it to function like and do?” and “What are you seeing?”

Just simply saying “it doesn’t work” or “I can’t get it to work” won’t tell us anything.

I would also strongly suggest that you put your PHP code at the top of your page and only reference the variables you need when you need them.

My understanding is the problem isn’t so much “this mostly works except for this” but more “how do I put this together”.

What I find helpful for me is to start with a rough outline of what would be involved. eg.

  • need HTML form
  • need database tables to hold input values
  • what values do I need?
    • username
    • password
      • security!!
    • other? any unique?
  • new vs. returning
    1. display form
    2. check against existing database values
    3. do stuff

As can be seen, it is very rough and incomplete. It serves only to help me get a “feel” for things. How to proceed and finer details (ie. the “other” and “stuff”) will vary and depends on what is needed and developer preference.

For example, some may prefer to write more OOP-ish code, others more procedural. Some may prefer to display the form again with the submitted values and ask for confirmation, others to go to a “success” page straight away.

More often than not, while working up the code other things come to mind and I revise the rough outline. eg. What do I do when there is a form error? What do I want to do to help prevent attacks? How can I ensure the form is accessible?

I find it easier to start simple and add complexity after making sure the simple works. A cycle of add until it breaks, fix, rinse repeat.

I think it could be helpful for you to put aside your example code for a while and put together a “minimal skeleton”. That is, write a very simple form with a single input, skip the database and SESSION stuff for now, and just have the code do one thing when the page first loads and another when the form has been submitted.

1 Like

Hi,

in lines 16 and 20 you are submitting the values for the inputs named “username” and “password” respectively.
In lines 30 and 31 you are retrieving the variables “user” and “pass”… Notice something?

Given what has been said about reserved words I would change the input names to match the names used in 30/31.

Regards

2 Likes

Continued here:-