1

I've made this code to login in to a site, but my code always returns Onjuiste gegevens(incorrect data). I don't know why.

In my database I have made 1 account with username: sander and password: sander. When I enter this in the form I still get "Onjuiste gegevens". Could someone please help me to fix this?

<?php
$conn = mysqli_connect("localhost", "root", "", "login");


if (isset($_POST['inloggen'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $query = "SELECT * FROM users WHERE username = '$username' AND '$password'";

    $result = mysqli_query($conn, $query);

    if (mysqli_num_rows($result) == 1) {
        echo "Juiste gegevens!";
    } else {
        echo "Onjuiste gegevens!";
    }

    echo "<br />";
}
?>
<form method="post" action="">
    <label>Username</label>
    <input type="text" name="username"/><br />
    <label>Password</label>
    <input type="password" name="password"/><br />

    <input type="submit" name="inloggen" value="Inloggen"/>

</form>
Improve this question
1
  • 2
    Passwords should not be saved plain text, instead one calculates and stores a hash. Have a look at the password_hash() function. In this case you only search by username (not by password), and afterwards you check the entered password with the hash stored in the database password_verify(). Commented Feb 22, 2016 at 13:21

4 Answers 4

Reset to default
4

There's a problem with your query, you've missed out password, it should be:

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

Also, you should prevent MySQL Injection:

$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);

Read more about mysqli_real_escape_string() at http://www.w3schools.com/php/func_mysqli_real_escape_string.asp.

Also read up on MySQLi Prepared Statements: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php, it's a good way to prevent MySQL Injection.

Tip: Remember to store passwords hashed for security purposes. Do not store them as plain-text.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

@SanderBakker You'll can prevent MySQL Injection using mysqli_real_escape_string
Learn about prepared statements for MySQLi. This is a much better way of helping to prevent SQL injection attacks.
0

Your query is not valid. You're forgetting the password column in your database.

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

Besides having a wrong query, the query is open for sql injections.

Improve this answer

6 Comments

Thanks. I got it working now!. Any guide for protection against sql injections?
Yes either use prepared statements or escape input with mysqli_real_escape_string
Is it also possible to add a thrid thing to my query like "repeat password" if so. What would be my query?
Well it's possible but why would you want 2 password fields in your database ?
For safety. Saw it on some websites but got it coverd already
|
0

Try this 

$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

which improves security by using mysqli_real_escape_string() for post variables.

mysqli_real_escape_string() - Escapes special characters in a string for use in an SQL statement,

http://php.net/manual/en/mysqli.real-escape-string.php

Improve this answer

1 Comment

Why should the OP "try this"? A good answer will always have an explanation of what was done and why it was done that way, not only for the OP but for future visitors to SO.
0

Your query's logic is wrong, you forget password:

SELECT * FROM users WHERE username = '$username' AND password='$password'
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.