This question already has an answer here:
My code checks whether the username exists in the database, however if the password is incorrect or empty the user can still log in (redirected to welcome.php). How can i implement it so that the password has to be correct as well as the username?
<?php
if($_SERVER['REQUEST_METHOD'] === 'POST'){
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "logreg";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$user = $conn->real_escape_string(htmlspecialchars(trim($_POST['username'])));
$query = "SELECT `username` FROM `users` WHERE `username` = '$user'";
$result = $conn->query($query);
if($result->num_rows > 0) {
header('Location:welcome.php');
die();
}
else $message = 'user does not exist';
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Log In</title>
<link type="text/css" rel="stylesheet" href="css/bootstrap.css"/>
<link type="text/css" rel="stylesheet" href="css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="css/bootstrap-theme.css"/>
<link type="text/css" rel="stylesheet" href="css/bootstrap-theme.min.css"/>
<link type="text/css" rel="stylesheet" href="css/styles.css"/>
<link href='http://fonts.googleapis.com/css?family=Open+Sans' rel='stylesheet' type='text/css'>
</head>
<body>
<div class="header">
<div class="body">
<div id="loginbox" class="mainbox col-md-6 col-md-offset-3 col-sm-8 col-sm-offset-2">
<div class="panel">
<div class="panel-heading">
<div class="panel-title"><h1>Sign In</h1></div>
<div style="float:right; font-size: 80%; position: relative; top:-10px"><a href="passreset.html">Forgot password?</a></div>
</div>
<div style="padding-top:30px" class="panel-body" >
<div style="display:none" id="login-alert" class="alert alert-danger col-sm-12"></div>
<form id="loginform" class="form-horizontal" role="form" action = "index.php" method = "post" enctype="multipart/form-data">
<h4><?php if(isset($message)) : ?>
<div class="error"><?php echo $message; ?></div>
<?php endif; ?></h4>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
<input id="username" type="text" class="form-control" name="username" value="" placeholder="username"> </div>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
<input id="login-password" type="password" class="form-control" name="password" placeholder="password">
</div>
<div class="input-group">
<div class="checkbox">
<label>
<input id="login-remember" type="checkbox" name="remember" value="1"> Remember me
</label>
</div>
<div style="margin-top:10px" class="form-group">
<!-- Button -->
<div class="col-sm-12 controls">
<input type = "submit" value = "Log In"></a>
</div>
</div>
</div>
<div class="form-group">
<div class="col-md-12 control">
<div style="border-top: 1px solid#888; padding-top:15px; font-size:85%">
Don't have an account!
<a href="register.html" onClick="$('#loginbox').hide(); $('#signupbox').show()">
Sign Up Here
</a>
</div>
</div>
</div>
</form>
</div>
</div>
</div>
<div style="border-top: 1px solid #999; padding-top:20px" class="form-group">
</div>
</form>
</div>
</div>
</div>
</div>
</body>
</html>
</div>
Check password also
$query = "SELECT `username` AND `password` FROM `users` WHERE `username` = '$user' and password = '$password'";
But I recomend the password is stored as an encrypted string (read comments below).
So you do this
$password = function_that_encrypts($password);
$query = "SELECT `username` AND `password` FROM `users` WHERE `username` = '$user' and password = '$password'";
Use prepared statements, or PDO with prepared statements, they're much safer.
I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.
The query you are using only selects based on the user name. You need to check the password also by adding that to the WHERE clause.
Based on what you have, you'll need to do something like :
$user = $conn->real_escape_string(htmlspecialchars(trim($_POST['username'])));
$pass = $conn->real_escape_string(htmlspecialchars(trim($_POST['password'])));
$query = "SELECT `username` AND `password` FROM `users` WHERE `username` = '$user' AND `password` = '$pass'";
Obviously you'll need to run whatever process on the password that you do before storing them. I am hoping you haven't stored the password in plain text.