-1

I am working on a test login-check with PHP/HTML and MySQL. I got it working great; it successfully connects to the database, it can grab my database values and save them in a variable, etc., but I ran into one slight problem.

I'm using two PHP pages to do the check. The login.php page, which only contains the forum, and the welcome.php page, which does the database connecting. When I ran a test page to just have it echo the database info, it printed out right (testUser, testEmail@email.com, testPassword, 1/1/1900). So when I tried to run my login-authentication check, it just says 'Unknown user!' twice, even when I try the usernames 'usr', 'testUser', and 'testUser2' (I made two tables, and the second one is the same with 2 added to the end). Here's my code.

<html>
    <head>
        <?php
            $title = ucfirst(basename($_SERVER['PHP_SELF'], ".php"));
            echo "<title>$title</title>";
        ?>
    </head>
    <body>
        <form name="form" accept-charset="utf-8" action="welcome.php" method="post">
            <span class="header">Username</span><input type="text" name="usr" value="usr"></input><br>
            <span class="header">Password</span><input type="text" name="pass" value="pass"></input>
            <input type="submit">
        </form>
    </body>
</html>

<?php
    $servername = removed;
    $username = removed;
    $password = removed;
    $dbname = removed;

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    } 

    $sql = "SELECT ID, USER, PASSWORD FROM usrdatabase";
    $result = $conn->query($sql);

    if ($result->num_rows > 0) {
        // output data of each row
        while($row = $result->fetch_assoc()) {
            // the given info from the form
            $usrUser = $_POST["usr"];
            $usrPass = $_POST["pass"];
            // convert the findings to uppercase to get rid of sensitivity
            if (strtoupper($usrUsr) == strtoupper($row["USER"]) && strtoupper($usrPass) == strtoupper($row["PASSWORD"])) {
                echo "Welcome $usrUser!<br>Your login was successful! ?>";
            }
            elseif (strtoupper($usrUsr) == strtoupper($row["USER"]) && strtoupper($usrPass) != strtoupper($row["PASSWORD"])) {
                echo "Login failed as $usrUser!";
            }
            else {
                echo "Unknown user!";
            }
        }
    } else {
        echo "0 results";
    }
    $conn->close();
?>

This always produces a 'Unknown user!' Is there something wrong with my check? I want it to go through each user in the database to check the info with each existing user.

The Gaming Hideout
  • 34
  • 10
  • 2
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 08 '16 at 19:24
  • You should really only retrieve the single user from the database, rather than getting all of them an looping through. That is really inefficient and will cause headaches as your number of users grows. – Jay Blanchard Jan 08 '16 at 19:25
  • 2
    Storing plain-text passwords in the DB makes this question **definitly** unethical to answer. – Eugen Rieck Jan 08 '16 at 19:26
  • 1
    Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Jan 08 '16 at 19:33
  • If it were me, I'd make my conditionals very small to see where it is hosing up. Take out everything except that first conditional and whittle that conditional until you see what's going on. – johnny Jan 08 '16 at 19:33
  • here is a mysqli (and a pdo link at bottom) login form or routine to check out http://stackoverflow.com/a/33665819/1816093 It should embody all that people are warning you about here. – Drew Jan 08 '16 at 23:16

2 Answers2

1

hey i see your if else contains $usrUsr shoudn't it be $usrUser ? (forgot the e)

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
MisterCat
  • 1,531
  • 3
  • 13
  • 23
1

Change

strtoupper($usrUsr) == strtoupper($row["USER"])

To

strtoupper($usrUser) == strtoupper($row["USER"])

Fetch single user from the database by using the username since they are unique for each user.

$sql = "SELECT ID, USER, PASSWORD FROM usrdatabase WHERE USER = '" . mysqli_real_escape_string($_POST['usr']) . "' AND PASSWORD = '"  . mysqli_real_escape_string($_POST['pass']) . "'";
aayush93
  • 99
  • 1
  • 3