Simple login form trouble.

[A_Olle]

I'm trying to make a simple login form for my page. Here is my html:

<?php include "database.php"; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Olle's FileShare</title>
<link rel="stylesheet" type="text/css" href="styles/main.css" />
</head>
<body>
	<?php include "view/header.php" ?>
	<div id="main">    
      
    <form method="post" action="database.php" name="loginform" id="loginform">  
    <fieldset>  
        <label for="username">Username:</label><input type="text" name="username" id="username" /><br />  
        <label for="password">Password:</label><input type="password" name="password" id="password" /><br />  
        <input type="submit" name="login" id="login" value="Login" />  
    </fieldset>  
    </form>   
    </div>
	
</body>
</html>

And this is my database.php file that connects to my umm... database. :

<?php
	
	$dsn= 'mysql:host=localhost; dbname=file_share';
    $username= 'root';
    $password= '';
    
    try {
    	$db= new PDO($dsn, $username, $password);
        echo '<p>You are connected to the database!</p>';
    } catch (PDOException $e) {
    	$error_message= $e->getMessage();
        echo "<p>An error occured while connecting to the database: $error_message </p>";
        }
		//Get the input from form
		$username= $_POST['username'];
		$userpassword= $_POST['password'];
		//Secure the input
		$username= mysql_real_escape_string($_POST['username']);
		$userpassword= mysql_real_escape_string($_POST['password']);
		
		//Check the input against the database
		$query = "SELECT COUNT(`username`) AS `total` FROM `user` WHERE `username` = '$username' AND `password` = '$userpassword'";
	    $result = mysql_query($query);
	    $row = mysql_fetch_assoc($result);
	   
	    if($row['total'] == 1) {
			$_SESSION['loggedIn']= "true";
			header("Location: index.php");
		}

?>

My database is called "file_share" while my table is called "users". Whenever i try to login, it says account not found. I know it's there as I created the table myself with only 2 users currently entered. Neither one works. Any help would be greatly appreciated!

[mac_gyver]

you are using the PDO database library for your database connection. you must use PDO statements throughout the rest of the code.

 

you need to have php's error_reporting set to E_ALL (always) and display_errors set to ON to get php to help you. each of the mysql_ database statements will be producing php errors that would have alerted you to the mismatch between your database connection using PDO and the rest of the statements not having a connection of the type they use.

[A_Olle]

Ok...thank you. So would it be easier to change that from the PDO connection to a mysql_connect (?) or change my other statements? Also, any chance you could give me an example of a query using a PDO statement?

[mac_gyver]

the mysql_ extension is depreciated as of php5.5 and should not be used for new code.

 

you need to either use the mysqli or PDO database libraries.

 

there are countless examples posted all over the place. start with the basic examples posted in the php.net documentation.

[A_Olle]

Ok...thanks!

[A_Olle]

Ok...this is what I came up with:

<?php
	
	$dsn= 'mysql:host=localhost; dbname=file_share';
    $username= 'root';
    $password= '';
    
    try {
    	$db= new PDO($dsn, $username, $password);
        echo '<p>You are connected to the database!</p>';
    } catch (PDOException $e) {
    	$error_message= $e->getMessage();
        echo "<p>An error occured while connecting to the database: $error_message </p>";
        }
		$sql= 'SELECT *
               FROM `Users`
               WHERE `Username` = :username
               AND `Password` = :password
               LIMIT 1';  //SQL query with named placeholders

        $stmt = $db->prepare($sql);  //Returns a PDOStatement class object
		
		if( isset($_POST['username'],$_POST['password'])
           && !empty($_POST['username']) && !empty($_POST['password']) )
{
              $username = $_POST['username'];
              $password = hash('md5',$_POST['password']);  
			  
			  $stmt->bindParam(':username',$username,PDO::PARAM_STR,16);
              $stmt->bindParam(':password',$password,PDO::PARAM_STR,16);
			  $stmt->execute();
              $result = $stmt->fetch(PDO::FETCH_ASSOC);
}
	   
	    if($stmt->rowCount() > 0) {
			$_SESSION['loggedIn']= "true";
			header("Location: index.php");
		}
		

?>

Now, this eliminated any error messages, and redirects to "index.php", but it doesn't matter what you put in for login or password...it just goes regardless.  ??

[mac_gyver]

you need to stick with ONE thread for any ONE problem. i have removed your other co-thread and moved this one to the php help forum (it's not actually a mysql problem. it's a php how to get to the point of having a mysql query statement problem.)

[A_Olle]

Ok..sorry. First night posting in here.

[A_Olle]

I just wanna know if I'm on the right track....but also, why it doesn't seem to be actually, checking the database.

[Ch0cu3r]

I have tested your code and it does work when the correct username/password is entered.

 

You need to debug your code firther to see where it is failing. Also you are md5 hashing the posted password, make sure the passwords in the database are also hd5 hashed and not plain text. The query needs to compare the md5 hashes.

 

I have modified your code so it spits out what it is doing as it processes the login. This is the sort of debug steps you need to take when code doesn't work the way you expect it to.

<?php
	
	$dsn= 'mysql:host=localhost; dbname=softlearner';
    $username= 'root';
    $password= 'root';
    
    try {
    	$db= new PDO($dsn, $username, $password);
        echo '<p>You are connected to the database!</p>';
    } catch (PDOException $e) {
    	$error_message= $e->getMessage();
        echo "<p>An error occured while connecting to the database: $error_message </p>";
    }

// only run code below if form has been posted
if($_SERVER['REQUEST_METHOD'] == 'POST') {

	/* Debug */
    printf('What is in $_POST <pre>%s</pre>', print_r($_POST, true));

	if( isset($_POST['username'], $_POST['password'])
        && !empty($_POST['username']) && !empty($_POST['password']) )
	{
        $username = $_POST['username'];
        $password = hash('md5',$_POST['password']);  

        printf('Credentials: <pre>%s</pre>', print_r(array('username' => $username, 'password' => $password), true));

        $sql= 'SELECT *
           FROM `members`
           WHERE `Username` = :username AND `Password` = :password
           LIMIT 1';  //SQL query with named placeholders

    	$stmt = $db->prepare($sql);  //Returns a PDOStatement class object
			  
		$stmt->bindParam(':username',$username,PDO::PARAM_STR,16);
        $stmt->bindParam(':password',$password,PDO::PARAM_STR,16);
		$stmt->execute();
        $result = $stmt->fetch(PDO::FETCH_ASSOC);
	}

	/* debug line */
	$error = $stmt->errorInfo();
	if($error[0] != '00000')
		printf('SQL Error: <pre>%s</pre>', print_r($error, true));
	/* end debug line */

	if($stmt->rowCount() > 0) {
		/*$_SESSION['loggedIn']= "true";
		header("Location: index.php");*/
		echo 'Login ok';
	}
	else
	{
		echo 'Sorry username/password wrong';
	}
}
else
{
	echo 'No post data received';
}
?>

Edited October 3, 2013 by Ch0cu3r

[A_Olle]

Thank you! This worked perfectly.