PHP Login Script Need Help Please

[Syst3m]

Hey so this is my login script but when i enter something into the username and password box and submit it, the page just refreshes.

 

<?php


echo "


<h1>LOGIN</h1>
<form action='' method='POST'>
<table>
<tr>
<td>
<b>Username:</b>
</td>
<td>
<input type='text' name='username' placeholder='Enter your username'>
</td>
</tr>
<tr>
<td>
<b>Password:</b>
</td>
<td>
<input type='password' name='password' placeholder='Enter your password'>
</td>
<td>
<input type='submit' value='login' name='submit'>
</td>
</tr>
</form>
";


$host = "localhost";
$username = "root";
$password = "";
$db_name = "website";


mysql_connect("$host", "$username", "$password") or die("Could not connect");
mysql_select_db("$db_name") or die("Could not find database");


if(isset($_POST['submit'])) {
if(!empty($_POST['username'])) {
$sql = "SELECT * FROM members WHERE username='$username' AND password='$password'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);


if($count==1) {
$row = mysql_fetch_array($sql);
$bancheck = mysql_query($row);
if($row['active']==0 && count==0) {
include 'userban.html';
} else if($count==1 && $bancheck==1) {
$_SESSION['username'] = "$username";
include '/home/user/index.php';
} else {
echo "You entered invalid information";
}
}
}
}


?>

Edited October 19, 2014 by Ch0cu3r

[jcbones]

1. Don't use mysql functions, they are depreciated.  Use PDO or mysqli.

2. You are not sanitizing any inputs, this is bad, and can lead to server hijacks.

3. You do not have error checking or display errors set (you should have this enabled for all development), or you would see multiple problems with this code.

Top of script

error_reporting(-1);ini_set('display_errors',1);

4. You are checking each username against your database password.

5. You are trying to query the database with an array from the database.

$row = mysql_fetch_array($sql);$bancheck = mysql_query($row);

6. You are trying to use a constant that hasn't been defined, perhaps you mean it to be a variable (php will try to interpret it as a string, which means it will always fail in this instance).

if($row['active']==0 && [b]count[/b]==0) {

That is all I see at a quick glance.

Edited October 18, 2014 by jcbones

[Syst3m]

I am now getting this error Catchable fatal error: Object of class mysqli could not be converted to string in /home/nebulafiles/public_html/testlog.php on line 11

<?phperror_reporting(-1);ini_set('display_errors',1);




$host = "localhost";
$username= "nebulafi_syst3m";
$password = "Kuxx#Hd6u9gC";
$db_name = "nebulafi_syst3m";


$connect = mysqli_connect("$host", "$username", "$password")or die("Connection Failed.");
$selectdb = mysqli_select_db("$db_name", "$connect")or die("DB Not Found.");




?>
    
                 <html>
<h1>LOGIN</h1>
<form action='' method='POST'>
<table>
<tr>
<td>
<b>Username:</b>
</td>
<td>
<input type='text' name='username' placeholder='Enter your username'>
</td>
</tr>
<tr>
<td>
<b>Password:</b>
</td>
<td>
<input type='password' name='password' placeholder='Enter your password'>
</td>
<td>
<input type='submit' value='login' name='submit'>
</td>
</tr>
</form>
</html>

Edited October 19, 2014 by Ch0cu3r

[ginerjm]

That means that the connect failed.

 

Also you didn't finish your table.

[Ch0cu3r]

Using mysqli is not as simple as just placing i infront of mysql in the function names.

 

Look at the mysqli documentation for how to use it correctly.

 

Also please wrap code within

tags when pasting code.

[Syst3m]

ok