Login form created in PHP and MySQL. If else doesn't work

Question

So, I connected a my website to MySQL and I made a login form. This is where the values from the textbox are submitted:

<?php
$username = $POST["username"];
$password = $POST["password"];

mysql_connect("localhost","opticon2_rgstr","mario106");
mysql_select_db("opticon2_rgstr");

$result = mysql_query("select * from users where username='$username' and 
password='$password'");
$row = mysql_fetch_array($result);
if ($row['username'] == $username && $row['password'] == $password)
{
echo "Successfully logged in!";
}
else
{
echo "Username or password are incorrect!";
}
?>

I added a user called "admin" with the password "admin" in the database, but even if I type in a wrong username and a wrong password it says: "Successfully logged in!"

Don't use the deprecated and insecure **mysql*-functions**. They have been **deprecated** since PHP 5.5 (in 2013) and were completely removed in PHP 7 (in 2015). Use MySQLi or PDO instead. 2. You are wide open to **[SQL Injections](http://php.net/manual/en/security.database.sql-injection.php)** and should really use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of concatenating your queries, which can be used if you use the above mentioned MySQLi or PDO. — Milan Chheda, Nov 26 '17 at 08:00
**Never store plain text passwords!** PHP provides [`password_hash()`](https://php.net/manual/en/function.password-hash.php) and [`password_verify()`](https://php.net/manual/en/function.password-verify.php) please use them. If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat). Make sure you [**don't escape passwords**](https://stackoverflow.com/q/36628418/5914775) or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. — Tom Udding, Nov 26 '17 at 08:01
I don't understand your code... you select an user in MYSQL where username and password match, then you do the same condition in PHP, weird — Vincent Decaux, Nov 26 '17 at 08:01
first check the query that is correct !! ... echo the `$result` and run displayed query in phpmysql — deemi-D-nadeem, Nov 26 '17 at 09:12
Possible duplicate of [The definitive guide to form-based website authentication](https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) — Progman, Nov 26 '17 at 10:10

Milan Chheda · Answer 1 · 2017-11-26T08:06:42.373

You have an error at the very first line. It should be $_POST and not $POST. Correcting that should fix your code. Secondly,

$result = mysql_query("select COUNT(*) as count from users where username='$username' and 
password='$password'");
$row = mysql_fetch_array($result);
if($row['count'] > 0) {
    echo "Successfully logged in!";
}

Though as I commented above, don't use the deprecated and insecure mysql*-functions. They have been deprecated since PHP 5.5 (in 2013) and were completely removed in PHP 7 (in 2015). Use MySQLi or PDO instead. 2. You are wide open to SQL Injections and should really use Prepared Statements instead of concatenating your queries, which can be used if you use the above mentioned MySQLi or PDO.

I think replacing every "mysql" with "mysqli" won't work. – Nov 26 '17 at 08:15 — , Nov 26 '17 at 08:15

Sushank Pokharel · Answer 2 · 2017-11-26T11:09:05.347

For now the below code will work for you

Here I have changed your mysql-function to mysqli-function because mysqli function is depricated since PHP5.5

Your code is not free for sql-injection. So you should see for prepared statements.

You can also use password_hash() or password_verify() function to to ensure more security for password.

$username = $_POST["username"];
$password = $_POST["password"];

$con = mysqli_connect("localhost","opticon2_rgstr","mario106");
if (!$con) {
die('Could not connect to server' .mysqli_error($con));
}
mysqli_select_db($con, "opticon2_rgstr") or die('Database could not e connected' .mysqli_error($con));


$result = mysqli_query($con,"select * from users where username='$username' and password='$password'");
$count = mysqli_num_rows($result);
if($count > 0){
$row = mysqli_fetch_assoc($result);
if ($row['username'] == $username && $row['password'] == $password)
{
echo "Successfully logged in!";
}
else
{
echo "Username or password are incorrect!";
}
}

Login form created in PHP and MySQL. If else doesn't work

2 Answers2