i'm making a login system linked with a database, i want to show an html file after the data get checked from the database.so, i used (the include method) an it shows me the html file in the console not on web page.

i've tried to use (require method) and tried to change it to php file and still doing the same.

<?php
$dbsevername = "127.0.0.1";
$dbusername = "root";
$dbpassword = "**************";
$dbname = "loginsystem";
$dbport = '3306';

$username = $_POST['username'];
$password = $_POST['password'];

$_SESSION["favcolor"] = "green";

$conn = mysqli_connect($dbsevername, $dbusername, $dbpassword,$dbname);

$sql = "SELECT * FROM passwords where username='$username' and password='$password';";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result); // = 2


if ($resultCheck > 0) {
   while($row = mysqli_fetch_assoc($result)){
     if ($row['username'] == $username && $row['password'] == $password) {
       include("true.html");
     }
   }

}else {
   include("false.html");
}

mysqli_close($conn);
?>

i want to open the (true.php) or (false.php) when the data get checked.

3 Answers

0
Mark Harraway On

I would rename to HTML files to PHP.

Is this actually your code? Just checking because if the files are a remote URL this makes a difference.

You are using a while loop to include a HTML file that will only ever have 1 result. There are better methods of doing this but regardless this should work and isn't the issue here. Any errors?

Try

    include './true.php';

instead of

    include ("true.html");
0
jameson2012 On

i want to open the (true.php) or (false.php) when the data get checked.

I think you are making a common rookie oversight here, because at the moment you only check if the data is correct and don't handle anything else: I've commented through your code below to demonstrate what I mean

//if there is at least 1 result then check the data otherwise include false
if ($resultCheck > 0) {

//while we go through the results check each one 
   while($row = mysqli_fetch_assoc($result)){

//if the username and password match include true.html
//however you don't break out of the loop, you keep checking
//if you have decided to include true you should use break;


     if ($row['username'] == $username && $row['password'] == $password) {
       include("true.html");
     }
//otherwise do what?  this should say else include false and then should probably break out the loop here as the
//this will not fall through into the else block below as that is based on the parent condition
//so you will never include a false in this loop - only if there were 0 rows to begin with
//this means that eventually, whenever our loop finishes we will skip 
//down to the next executionable line which is marked with !!!


   }

}else {
   include("false.html");
}
//!!!

there are some other glaring problems with your code, such as you seem to be storing passwords in pain text in your database, these should be hashed and verified, so you should never be able to just see if a password row == an input, i suggest googling php functions password_hash and password_verify

You also shouldn't be using a while loop, within your login system you must have a unique username and password combination so you should only ever return 1 row - if you have more than 1 row how can you confirm who they are? So you should be using whatever the mysqli equivalent of pdo->fetch() is (i don't know offhand because i only use pdo)

which brings me on to the fact that you should be using prepared statements to combat sql injection, at the moment this login system could be easily used to give someone full access to all your usernames and passwords, which are all stored in plain text.

0
Mark Harraway On
 $uid = $_POST['uid'];
 $pwd = $_POST['pwd'];

 if ($uid == null){
   header("Location: ../index.php?message=ERROR 001 - Username or Password can not be 
   blank!");
    exit();
 }

 if ($pwd == null){
    header("Location: ../index.php?message=ERROR 001 - Username or Password can not 
    be blank!");
    exit();
}


if ($stmt = $link->prepare("SELECT password FROM users WHERE username=?")) {
 $stmt->bind_param("s", $uid);
 $stmt->execute();
 $stmt->bind_result($pass);
 $stmt->fetch();
 $stmt->close();
}

if (!$stmt) {
 header("Location: ../index.php?message=ERROR 003 - Connection to the database could 
 not be established!");
    exit();
}

$hash_pwd = $pass;

if ($hash_pwd == crypt($pwd, $hash_pwd)){
 $decrypt = 1; 
 }else{
  $decrypt = 0;
}

if ($decrypt == 0){
    include ("false.html");
    exit();
} else {
 $stmt = $link->prepare("SELECT id FROM users WHERE username='$uid' AND password=?");
 $stmt->bind_param("s", $hash_pwd);
 $stmt->execute();
 $stmt->bind_result($id);
 $stmt->fetch();
 $stmt->close();
 $_SESSION['id'] = $id;
 include ("true.html");
}

This should work better. You'll have to change your database relevant details. I've given you a start with storing a session variable of ID.