Login issues

[Aron2996]

I'm trying to get the login feature for my website and I feel I'm almost there.. but whenever I try the feature with a valid username and password I get the echo ("Sorry, your credentials are invalid, Please try again") for an invalid username and/or password.

<?php
error_reporting(E_ALL);
include("function.php"); //connection to Database is defined in function.php
$host = "localhost"; //Host Name
$username = "username"; //MySQL username
$password = "password"; //MySQL password
$db_name = "database"; // Database Name
$tab_name = "users"; // Table Name

// Grab User submitted information
$username = $_POST["username"];
$password = $_POST["password"];

// Connect to the database
$con = mysql_connect("localhost","root","");
// Make sure we connected succesfully
if(! $con)
{
    die('Connection Failed'.mysql_error());
}

// Select the database to use
mysql_select_db("database")or die("cannot connect to DB");

$sql = "SELECT * FROM $tab_name WHERE username='$username' and password='$password' limit 1";

$result = mysql_query($sql);

while ($row = mysql_fetch_array($result));

if($row["username"]==$username && $row["password"]==$password)
header("Location: http://localhost/SITE/Homepage.htm");
    //echo"You are a validated user.";
else
    echo"Sorry, your credentials are not valid, Please try again.";

?>

Any suggestions that can ameliorate my situation would be greatly appreciated!   (Been working on this for more than 2 weeks   )

[ginerjm]

You don't reference a valid table name in your query as far as your code shows.

You don't check to ensure the query statement actually ran.

Is your username possibly a multi-word value?  You don't include it in quotes in your test, which btw is meaningless since your query could only possibly obtain a match already.

 

You turned on error checking but you don't display them.  Are you checking your error log to see if there is a message there?  Since this is in test still and not open to the public yet, try turning on 'display_errors' so you can see them as  you test.

[sKunKbad]

You are on the path to destruction with this login script. You're not validating to escaping the variables that are being placed right into the query. You're also not hashing your passwords. Take a look at PDO or mysqli prepared statements, and hashing passwords is an absolute must. Also, unless you plan to take a long journey to learn all the ins and outs of authentication, you're better off using somebody elses code. I suggest a framework like Laravel, which has built in auth. Even on sites that are very small, you compromise your user's personal email accounts and more when you use weak authentication.

[mac_gyver]

the main reason your code isn't producing the result you expect is your while(){} loop, which you don't need any ways. after the end of your (empty) while loop, $row in a false value (the last value assigned to it.)

 

since your query is expected to match either zero or one row, there's no point in using a loop to fetch the result from the query (if you did have a need to use a loop to fetch data from a query, you would use the fetched data inside the loop.) for your purpose, you would first test if the query worked at all, then test if it matched any row(s) to know if the username/password being tested in the query matched a row in the database table. then you would use just $row = mysql_fetch_array($result); (or even better yet learn to use the mysqli or PDO functions as has already been stated) to fetch that row (assuming you need to retrieve the user id for that row to remember who the logged in user is in a session variable.)