i have a problem with a login script on my site, the script works after a user registers it will allow the user to login, but after some time like an hour or more the script will denied the user access to login by saying incorrect login details (this error appears when the user password is incorrect) but in this case the password is correct, i have tried to understand the reason for this kind of problem.

Again when the user recovers the password and uses it to login it will login. Please i need some help below is the code for the login

<?php
if (isset($_POST['loginaccount'])) {
    $usernamefor = $_POST['usernamelogin'];
    $passwordfor = $_POST['passwordlogin'];
    $username = mysqli_real_escape_string($connect, $usernamefor);
    $pass  = mysqli_real_escape_string($connect, $passwordfor);
    $query = "SELECT * FROM users WHERE username = '{$usernamefor}' ";
    $query = mysqli_query($connect, $query);
    $count = mysqli_num_rows($query);
    if (!$query) {
        die("QUERY FAILED". mysqli_error($connect));
    }
    if ($count <= 0) {
        $error1 = "<div class='danger'><a href='#' class='close' data-dismiss='alert' aria-label='close'>&times;</a>Sorry you are not a registered user </div>";
    } else {
        while ($row = mysqli_fetch_array($query)) {
            $id = $row['id'];
            $username = $row['username'];
            $user_password = $row['password'];
        }
        $passwordloader = crypt($pass, $user_password);  

        if ($username == $username && $passwordloader == $user_password) {
            header("Location: the users dasboard");

            // the below set various sessions for users//

            $_SESSION['id'] = $id;

        } else {    
            $error2 = "<div class='danger'><a href='#' class='close' data-dismiss='alert' aria-label='close'>&times;</a>Sorry your login details in incorect</div>";  
        }                                                        
    }
}

1 Answers

1
devpro On

You having typo error here:

$username = mysqli_real_escape_string($connect, $usernamefor);
$pass  = mysqli_real_escape_string($connec, $passwordfor);

$connect is not equal to $connec

Few more suggestions:

$username == $username this condition is unnecessary because you are overwriting this variable in while loop.

Second, do not save plain password in database.

Third, i hope you are using session_start() for this this $_SESSION['id'] = $id;

Fourth, your query will return only 1 record, then why are you using while loop here.

Fifth, your code is wide open for SQL injection, for preventing ,use prepared statement. How to use prepared statement

Sixth, if you are not using password field in your query, then no need to use mysqli_real_escape_string()