im trying to create a login script and I feel like im almost there but for some reason when I test it by typing in incorrect usernames and passwords it still thinks it has got something from the database.
here is my form code:
<form method="post" action="checklogin.php">
<table>
<tr>
<td><label style="color:#6b6a6b;" for="username">Username: </label></td>
<td><input class="textbox" type="text" name="username"></td>
</tr>
<tr>
<td> </td>
<td></td>
</tr>
<tr>
<td><label for="password">Password: </label></td>
<td><input class="textbox" type="password" name="password"></td>
</tr>
<tr>
<td> </td>
<td></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="login" id="login" value=""></td>
</tr>
</table>
</form>
and here is my PHP code:
session_start();
$con=mysqli_connect("********", "*******", "******", "******");
$myroot = "";
$previousURL = parse_url($_SERVER['HTTP_REFERER'],PHP_URL_PATH);
if(isset($_POST['login'])){
if(isset($_POST['username']) && isset($_POST['password']) && $_POST['username'] != "" && $_POST['password'] != ""){
if (strlen($_POST['username']) > 20 || strlen($_POST['username']) < 4)
{
$error = 'Incorrect Length for Username or Password';
}
/*** check the password is the correct length ***/
elseif (strlen($_POST['password']) > 20 || strlen($_POST['password']) < 4)
{
$error = 'Incorrect Length for Username or Password';
}
/*** check the username has only alpha numeric characters ***/
elseif (ctype_alnum($_POST['username']) != true)
{
/*** if there is no match ***/
$error = "Username must be alpha numeric";
}
/*** check the password has only alpha numeric characters ***/
elseif (ctype_alnum($_POST['password']) != true)
{
/*** if there is no match ***/
$error = "Password must be alpha numeric";
}
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($con,$username);
$password = mysqli_real_escape_string($con,$password);
$result=mysqli_query($con,"SELECT * FROM RAE_customers WHERE username='" . $username . "' AND password='" . $password . "'") or die(mysqli_error($con));
$count=count($result);
if($count==1){
// Register $username
$_SESSION['username'] = $username;
var_dump($_SESSION['username']);
echo "<br>";
echo $count;
/*if($previousURL == "/checkout.php"){
header('Location: details.php');
}
elseif($previousURL == "/login.php"){
header('location: index.php');
}*/
}
else {
$error = "Wrong Username or Password.";
}
if(isset($error)){
echo $error;
}
else{
echo "success";
}
}
else{
$error = "Please enter a Username and Password.";
}
}
else{
header('location:index.php');
}
When I type in dummy usernames and passwords the It treats it like they are correct.
I get these results
string(6) "dffddf" 1success
does anybody see the problem with my code?
