Am trying to figure out why this code is not authenticating users, a wrong combination of username and password gives a user access. Where am I going wrong? Am still a newbie, any help? also, a suggestion on how to encrypt the password, MD5, SHA etc, which is best?
<form class="login-form" action="login.php" method="post">
<input type="text" placeholder="username" name="username"/>
<input type="password" placeholder="password" name="password"/>
<button type="submit" name="login" value="login">login</button>
<p class="message">Not registered? <a href="#">Create anaccount</a></p>
</form>
if (isset($_POST['login'])) {
include_once("db.php");
$username = stripslashes($username);
$password = stripslashes($password);
$sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
$query = mysql_query($sql);
$row = mysql_fetch_array($query);
$id = ['id'];
$db_password = $row['password'];
if ($password == $password) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
} else {
echo "You have entered invalid credentials.";
}
}
1st: You are comparing the same value, which will give you always true.
if ($password == $password) {
change it to the db value:
if ($db_password == $password) {
2nd: what is?
$id = ['id'];
You probably meant:
$id = $row['id'];
3rd: stop using mysql_* functions, they are deprecated and unsafe. Switch over to PDO or mysqli_*!