0

When I use my login form, it states that there is not user however my login details are correct. I can't seem to see what's up in the form. Thank you for your help!

<?php
include("connect.php");
if(isset($_POST['submit'])){
 $username=$_POST['username'];
 $password=$_POST['password'];
 //Protect MySQL Injection
 $username=stripcslashes($username);
 $username=mysqli_real_escape_string($username);
 $username=htmlspecialchars($username);

 $password=stripcslashes($password);
 $password=mysqli_real_escape_string($password);
 $password=htmlspecialchars($password);
 //Run Query to Database
 $sql="SELECT * FROM officers WHERE username='$username' AND password='$password'";
 $result=mysqli_query($sql);
 //Counting Numbers of MySQL row [if user Found row must be 1]
 $row=mysqli_num_rows($result);
 //Fetching User Informaiton from Database
 $userinfo=mysqli_fetch_assoc($result);
 $role=$userinfo['role'];

 if($row==1){
  //Initilizing SESSION with Differents user Role
  $_SESSION['login_user']=$username;
  $_SESSION['role']=$role;
  if($role=='admin'){ 
  header('location:admin.php');
  }
  if($role=='user'){

  header('location:user.php');
  }

 }else{
  echo "No User Found by Given Information";
 }

}

?>
natstv
  • 1
  • 1
    **Never store plain text passwords!** Please use **[PHP's built-in functions](http://php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)**. Make sure you **[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. – John Conde Jan 26 '18 at 22:49
  • The script will abort, as the connection object from connect.php must be passed into mysqli_query() as the first arguement. Error-reporting needs to be turned on; if it was, you would see an error message pointing out that problem. Also, session_start() must be called before doing anything with $_SESSION variables. – FilmFiddler Jan 27 '18 at 00:39
  • Similar problem with the real_escape_string function - it also requires the connection object as the first arguement. – FilmFiddler Jan 27 '18 at 03:10

1 Answers1

0

Consider using different column names other than password or username.

AFAIK password is a keyword / reserved word according to native SQL. You can use "u_pass" or something similar other than "password".

Same applies for username. Consider changing it to user_name or u_name for the query to work correctly.

Maddy Blacklisted
  • 1,190
  • 1
  • 7
  • 17