[designerdrew]

Having trouble with this code, trying to login to a name ID etc in my database, but you are logged in to any name you input.
index.php:

<?php
error_reporting(E_ALL | E_STRICT);
ini_set('display_errors', True);

session_start();
?>

<html>
<head>
	<title>My login</title>
</head>
<body>
	<div></div>
	<?php if (isset($_SESSION['username'])) { ?>
	You are now logged in
	<a href="logout.php">Logout</a>
	<?php } else { ?>
	<form action="login.php" method="post">
		username: <input name="username" type="text" />
		password: <input name="password" type="password" />
		<input type="submit" />
	</form>
	<?php } ?>
	<!-- Output Error -->
	<?php if (in_array('error',$_SESSION)) echo $_SESSION['error']; unset($_SESSION['error']); ?>
</body>
</html>

login.php:

<?php
session_start();

$db_host = 'localhost';
$db_user = 'root';
$db_pass = '';
$db_db = 'users';



if (isset($_POST['username']))
{
	// Mysql Connection
	$db_link = mysql_connect($db_host, $db_user, $db_pass)
		or die('MySQl Connection Error:'.mysql_error());
	mysql_select_db($db_db)
		or die('MySQL Error: Cannot select table');
	
	$username = mysql_real_escape_string($_POST['username']);
	$password = mysql_real_escape_string($_POST['password']);
	
	// MySQL Query
	$result = mysql_query("SELECT * FROM users 
		WHERE username = '$username' AND password = '$password' ");
		
	if(!$result) {
		$_SESSION['error'] = '<span style="color: red">Login Failed</span>';
	} else {
		// Mysql fetch row results
		$row = mysql_fetch_assoc($result);
		
		$_SESSION['userid'] = $row['id'];
		$_SESSION['username'] = $username;
		$_SESSION['error'] = 'Login successful<br> Welcome, '.$username;
	}
	mysql_close($db_link);

}

header('Location: ./')
?>

logout.php:

<?php
session_start();

if (isset($_GET['logout']))
{
	$_SESSION = array();
	if ($_COOKIE[session_name()])
	{
		setcookie(session_name(), '', time()-42000, '/');
	}
	session_destroy();
	header('Location: ./');
}

?>

Thanks Drew

[dt17]

Do you have an online example of this? Just so I can see if you are getting any of your error messages echoed out etc.

[MrBrightside]

Your problem is with this line:

if(!$result) {

It only checks to see if the variable called result is 0 or false, which always returns false because the results of your SQL query are stored in that variable, regardless of whether any rows are returned or not. This is not what you want, because you want it to be true when the login fails, and false if the login succeeds.

To make it work, change that to:

if(mysql_num_rows($result) !== 1) {

Which tells it to check if only 1 row is not returned from the result - because you're checking if the login fails. This statement will return true if the login failed, and false if the login worked. If it's true the error message is set, otherwise the login info is set.

I'd also set a limit of 1 on your query:

WHERE username = '$username' AND password = '$password' LIMIT 1");

For better security, you should hash the passwords in your database and not store them as plain text. You can choose any hashing algorithm you like such as MD5 or SHA1.

When you're creating a user account just hash it before inserting to the database:

$password = md5($password);

and then in your login script, hash the provided password

$password = md5(mysql_real_escape_string($_POST['password']));

Hashing is basically one way encryption. It encrypts the password, and theoretically it can never be decrypted. So storing a hashed password means hackers can't get anyones password even if they manage to break into your database (although a method called rainbow tables can get unsecure passwords).

You might also want to have a look at salting passwords (which prevents people using rainbow tables to decrypt your hashes) depending on how secure you want your application to be.

[designerdrew]

o.k. that works, but when I login it doesn't show the welcome and username message? also when entering the wrong name/password no error message shows, just returns to the start

[MrBrightside]

<?php if (in_array('error',$_SESSION)) echo $_SESSION['error']; unset($_SESSION['error']); ?>

should be

<?php if (isset($_SESSION['error'])) echo $_SESSION['error']; unset($_SESSION['error']); ?>

[designerdrew]

o.k. works brilliant.
I know this is a big ask but what code would be added or seperate page to add new users to database in a session +logout?
Regards Drew

[MrBrightside]

Do you just mean a registration page?
If so then it's pretty easy to do:
First create a form in HTML asking for the required fields.
In your PHP have a check to see if the form was submitted, and then perform any necessary validation.
If everything is valid then use a MySQL insert statement to store everything into the database.

Have a search on this forum for contact forms, which should give you plenty of info on how to process forms and perform validation.
Have a look at W3Schools for info on MySQL inserts with PHP - linky

[designerdrew]

Many thanks, I'm getting my head around it slowly, used W3 schools to perfect my CSS skills. Got to be a developer not a designer in these times.
Never stop trying and learning.....
Regards Drew, I'm outa here.