Struggling with PHP Login Form

PHP
1

Here is my attempt at a PHP login form. To preface, I understand that I have not used any type of encryption on the password. I intend to use bcrypt, but I am just trying to get the actual form working correctly first before I implement the encryption. When I enter the correct username and password, I get the “Wrong Username and/or Password” message that I created, which I believe tells me that the code is going wrong somewhere in the database query, but I can’t figure out what it is. Any suggestions would be much appreciated!


<?php 
	
	if (isset($_POST['confirm_login']) && $_POST['confirm_login'] == 'true') {
	
		// Connect to database
		include ($_SERVER['DOCUMENT_ROOT'] . "/genesis/databaseconnect.php");
		
		// Start session
		session_start();
		
		// Set error array
		$errors = array();
		
		// Gather and validate username
		if (isset($_POST['username']) && $_POST['username'] !== '') {
			$username = mysql_real_escape_string($_POST['username']);
		} else {
			$errors['username'] = TRUE;
			$username = NULL;
		}
		
		// Gather and validate password
		if (isset($_POST['password']) && $_POST['password'] !== '') {
			$password = mysql_real_escape_string($_POST['password']);
		} else {
			$errors['password'] = TRUE;
			$password = NULL;
		}
		
		if (empty($errors)) {
		
			// Create query
			$query = "SELECT username, password FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
			
			// Query database
			$result = $mysqli->query($query); 	
			if ($result) {
				while ($row = $result->fetch_object()) {
					$_SESSION['username'] = $row->username;
					$_SESSION['password'] = $row->password;
				}
				$result->close();
				header("Location: index.php");
			} else {
				$errors['wrong_username_password'] = TRUE;
			}
		
		} else {
			$errors['username_password'] = TRUE;
		}
		
	} 
	
?>

<?php
	$title = 'Login'; 
	$subsection = '';
	$section = '';
?>

<?php include ($_SERVER['DOCUMENT_ROOT'] . "/genesis/admin/includes/head.php"); ?>

</head>

<body class="login">

<div class="wrap">
	<div class="content">
		<h1>Welcome to Genesis!</h1>
		<?php
			if (isset($errors['username']) || isset($errors['password']) || isset($errors['username_password'])) {
				echo '<div class="errors">Please enter a username and password!</div>';
			} else if (isset($errors['wrong_username_password'])) {
				echo '<div class="errors">Wrong username and/or password!</div>';
			}
		?>
		<form method="post" action="login.php">
			<div><label for="username">Username:</label><input type="text" name="username" id="username" value="" /></div>
			<div><label for="password">Password:</label><input type="password" name="password" id="password" value="" /></div>
			<div><input type="hidden" name="confirm_login" value="true" /></div>
			<div><input type="submit" name="submit" value="Login" /></div>
		</form>
		<ul>
			<li><small><a href="/genesis/admin/login.php?forget=true">Forget your username/password?</a></small></li>
		</ul>
	</div> <!-- END: .content -->
	<div class="footer"></div> <!-- END: .footer -->
</div> <!-- END: .wrap -->

</body>

</html>
2

Add this line to the else clause:

echo $mysqli->error;

3

Have a look at the actual query being run


$query = "SELECT username, password FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";

echo $query; die();

If there is no obvious error in the outputed query, copy and paste it into an sql window and run it there and see if it returns 1 row.