This question already has an answer here:
- Secure hash and salt for PHP passwords 14 answers
My code checks whether the username exists in the database, however if the password is incorrect or empty the user can still log in (redirected to welcome.php). How can i implement it so that the password has to be correct as well as the username?
<?php
if($_SERVER['REQUEST_METHOD'] === 'POST'){
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "logreg";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$user = $conn->real_escape_string(htmlspecialchars(trim($_POST['username'])));
$query = "SELECT `username` FROM `users` WHERE `username` = '$user'";
$result = $conn->query($query);
if($result->num_rows > 0) {
header('Location:welcome.php');
die();
}
else $message = 'user does not exist';
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Log In</title>
<link type="text/css" rel="stylesheet" href="css/bootstrap.css"/>
<link type="text/css" rel="stylesheet" href="css/bootstrap.min.css"/>
<link type="text/css" rel="stylesheet" href="css/bootstrap-theme.css"/>
<link type="text/css" rel="stylesheet" href="css/bootstrap-theme.min.css"/>
<link type="text/css" rel="stylesheet" href="css/styles.css"/>
<link href='http://fonts.googleapis.com/css?family=Open+Sans' rel='stylesheet' type='text/css'>
</head>
<body>
<div class="header">
<div class="body">
<div id="loginbox" class="mainbox col-md-6 col-md-offset-3 col-sm-8 col-sm-offset-2">
<div class="panel">
<div class="panel-heading">
<div class="panel-title"><h1>Sign In</h1></div>
<div style="float:right; font-size: 80%; position: relative; top:-10px"><a href="passreset.html">Forgot password?</a></div>
</div>
<div style="padding-top:30px" class="panel-body" >
<div style="display:none" id="login-alert" class="alert alert-danger col-sm-12"></div>
<form id="loginform" class="form-horizontal" role="form" action = "index.php" method = "post" enctype="multipart/form-data">
<h4><?php if(isset($message)) : ?>
<div class="error"><?php echo $message; ?></div>
<?php endif; ?></h4>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span>
<input id="username" type="text" class="form-control" name="username" value="" placeholder="username"> </div>
<div style="margin-bottom: 25px" class="input-group">
<span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
<input id="login-password" type="password" class="form-control" name="password" placeholder="password">
</div>
<div class="input-group">
<div class="checkbox">
<label>
<input id="login-remember" type="checkbox" name="remember" value="1"> Remember me
</label>
</div>
<div style="margin-top:10px" class="form-group">
<!-- Button -->
<div class="col-sm-12 controls">
<input type = "submit" value = "Log In"></a>
</div>
</div>
</div>
<div class="form-group">
<div class="col-md-12 control">
<div style="border-top: 1px solid#888; padding-top:15px; font-size:85%">
Don't have an account!
<a href="register.html" onClick="$('#loginbox').hide(); $('#signupbox').show()">
Sign Up Here
</a>
</div>
</div>
</div>
</form>
</div>
</div>
</div>
<div style="border-top: 1px solid #999; padding-top:20px" class="form-group">
</div>
</form>
</div>
</div>
</div>
</div>
</body>
</html>
</div>