PHP MySQL Login Failure

Question

I have to create a login system using PHP and MYSQL. The user has to be granted access if his username and password exists in the database. I have the following code but after I enter the fields, it returns to the same page. I'm new to programming in php and stackoverflow. Please help.

    <?php
ini_set('display_errors',1); 
error_reporting(E_ALL);
    //Start session
    session_start();

    //Include database connection details
    require_once('config.php');

    //Array to store validation errors
    $errmsg_arr = array();

    //Validation error flag
    $errflag = false;

    //Connect to mysql server
    $link = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE);
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }

    //Select database
    $db = mysqli_select_db($link, DB_DATABASE);
    if(!$db) {
        die("Unable to select database");
    }

    //Function to sanitize values received from the form. Prevents SQL injection
    function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysqli_real_escape_string($str);
    }

    //Sanitize the POST values
    $login = clean($_POST['login']);
    $password = clean($_POST['password']);

    //Input Validations
    if($login == '') {
        $errmsg_arr[] = 'Login ID missing';
        $errflag = true;
    }
    if($password == '') {
        $errmsg_arr[] = 'Password missing';
        $errflag = true;
    }

    //If there are input validations, redirect back to the login form
    if($errflag) {
        $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
        session_write_close();
        header("location: index.php");
        exit();
    }

    //Create query

    $result=mysqli_query("SELECT * FROM login-teachers WHERE login=$login AND password=".md5($_POST['password'])."");

    //Check whether the query was successful or not
    if($result) {
        if(mysqli_num_rows($result) == 1) {
            //Login Successful
            session_regenerate_id();
            $member = mysqli_fetch_assoc($result);
            $_SESSION['SESS_USERNAME'] = $member['member_id'];
            $_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
            $_SESSION['SESS_LAST_NAME'] = $member['lastname'];
            session_write_close();
            header("location: member-index.php");
            exit();
        }else {
            //Login failed
            header("location: login-failed.php");
            exit();
        }
    }else {
        die("Query failed");
    }
?>

`mysql_error()` that doesn't mix with `mysqli_` and `mysqli_real_escape_string()` requires a db connection. You're also not connecting here `$result=mysqli_query("SELECT...` — Funk Forty Niner, Nov 24 '15 at 01:06
@Drew they can be mixed. Not good practice, but mixing OOP and procedural do work together, *strangely enough*. — Funk Forty Niner, Nov 24 '15 at 01:11
a stub [Here on Pastie](http://pastie.org/10577076). Fill in the blanks — Drew, Nov 24 '15 at 01:17

score 5 · Accepted Answer · edited May 23 '17 at 12:25

As I stated in comments:

mysql_error() doesn't mix with the mysqli_ API. Use mysqli_error($link)
http://php.net/manual/en/mysqli.error.php
mysqli_real_escape_string() requires a db connection be passed as the first parameter.
http://php.net/manual/en/mysqli.real-escape-string.php

You're also not connecting here $result=mysqli_query("SELECT...

http://php.net/manual/en/mysqli.query.php

Then we have this SELECT * FROM login-teachers you are using a hyphen. It must be ticked.

SELECT * FROM `login-teachers`

MySQL will interpret that as "login MINUS teachers" and thinking you want to do math.

Having checked for errors, that alone would have thrown you a syntax error.

Sidenote: To avoid ticking, rename your table using an underscore as a seperator, the choice is yours login_teachers.

This AND password=".md5($_POST['password'])."" that is a string.

It needs to read as AND password='".md5($_POST['password'])."'

Sidenote: If $login is a string, then that too needs to be quoted.

Yet, I would totally get rid of that MD5 altogether for password hashing.

You're using MD5 which isn't considered safe to use as a password hashing function. If it's for your own personal use or educational purposes and won't see the light of day on the Web, fine.

Just don't go LIVE with this.

Use one of the following:

CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Other links:

PBKDF2 For PHP
Also check out one of ircmaxell's answers https://stackoverflow.com/a/29778421/1415724 - It uses prepared statements with password_hash() and/or the password-compat (compatibility pack).

Plus, it's unsure if you did save that hash in the first place and if the column's type is correct and its length long enough to hold the hash.

Also unsure if your POST arrays do hold values and that your form has a POST method. Use a conditional !empty() against those.

http://php.net/manual/en/function.empty.php

Check for errors.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Also add or die(mysqli_error($link)) to mysqli_query().

Then this die("Unable to select database"); get the real error mysqli_error($link) should there be any.

You should really switch to PDO with prepared statements or mysqli_* with prepared statements, they're a lot better.

Added note:

I don't know you're using this below, you already declared all 4 parameters above it and it can safely be removed:

$db = mysqli_select_db($link, DB_DATABASE);
if(!$db) {
    die("Unable to select database");
}

and make sure those constants are correctly defined.

PHP MySQL Login Failure

1 Answers1