Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Trying to make a login page, getting php errors. Any help? :-)

Hi, a while ago I connected my scripts to my database. I want users on my site and this is the best script I could make, but it gives me errors that I can't find. Anybody who can see any issues?

My code: ''' session_start();

if(isset($_POST['login'])){
    include_once("db.php");   
    $username = strip_tags($_POST['username']);
    $password = strip_tags($_POST['password']);

     $username = stripslashes($username);
     $password = stripslashes($password);

      $username = mysqli_real_excape_string($username);
      $password = mysqli_real_excape_string($password);

      $password = md5($password);

      $sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
      $query = mysqli_query($db, $sql);
      $row = mysqli_fetch_array($query);
      $id = $row['id'];
      $db_password = $row['password'];

      if($password == $db_password){
        $_SESSION['username'] = $username;
         $_SESSION['id'] = $id;
         header("Location: index.php");
      } else{ 
          echo "<font color="red">Your username and password did not match our system, please try again...</font>"
          }



}

'''

1 Answer

When I pasted your code into my editor it immediately showed an error on this line:

echo "<font color="red">Your username and password did not match our system, please try again...</font>"

The first problem is that if you include quoted text inside a string starting with double quotes you need to switch to single quotes. The second problem is that you didn't terminate the line with a semi-colon. So with these changes we have no errors:

echo "<font color='red'>Your username and password did not match our system, please try again...</font>";

Just a note. I applaud your encrypting passwords, but md5 is very easily broken. Here's an article from ZDNet: http://www.zdnet.com/article/md5-password-scrambler-no-longer-safe/ Here's a YouTube video of a couple of kids hacking md5 passwords: https://www.youtube.com/watch?v=96fAX0beduE The site I used to demo cracking md5 passwords on line seems to have been taken down, but here's a site that tells you how to do it on your laptop: http://chalkline.blogspot.com/2005/08/2-minute-tutorial-on-cracking-md5.html

Based on reading your code it seems you allow multiple users to have the same username:

$sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";

If so, the above SELECT statement may not bring back the user with the password in $password. E.g., if there were two, how can you guarantee that LIMIT 1 will bring back the user with the submitted password. I suggest that you do this instead:

$sql = "SELECT id FROM users WHERE username='$username' AND password = '$password'";

If you get an id back then your user's login is validated and you can fill your SESSION variables. Depending on how large the rows are in your users table this could save a bit of network transit time, as all you are bringing back here is the id.

Wow thanks a lot mate for the answer. Ill try some of it out! So is there any other md5 kind of thing I can use?