Php Session and post problems in login page

Question

Ok, so we got some basic HTML here

    Username:   
    

        

Answer 1

Edit: Username and password names in html are the same which are used in php, i just misstyped here.

Edit: Ok, so you've made a typo in the form fields. You're still mixing MySQL APIs, see further down below about the mixing function using mysql_real_escape_string().

Look at name="myusername" and your POST assignment, along with the one for your password.

They don't match.

Change name="myusername" to name="username"

and name="mypassword" to name="password"

as per

$myusername=$_POST["username"];
$mypassword=$_POST["password"];

Having used error reporting, would have signaled an undefined index and an headers already sent warning; see below.

You also have spaces before which would cause an output before header. Remove them.

Plus, you're mixing MySQL APIs with mysql_error(). mysql_error() should read as mysqli_error($con) and this below:

$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

which should read as

$myusername = mysqli_real_escape_string($con,$myusername);
$mypassword = mysqli_real_escape_string($con,$mypassword);

or

$myusername = mysqli_real_escape_string($con,$_POST['username']);
$mypassword = mysqli_real_escape_string($con,$_POST['password']);

• mysqli_ and mysql_ functions do not intermix together.

---

Regarding security

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Plus, in regards to SQL injection, use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

---

Footnotes

It is best to add exit; after each header.

header("location:login_success.php");
exit;

and for all headers.

---

Edit:

Remove

$myusername=$_POST["username"];
$mypassword=$_POST["password"];
echo $myusername . "
";  
echo $mypassword . "
";

then replace it with:

$myusername = stripslashes($_POST["username"]);
$mypassword = stripslashes($_POST["password"]);
$myusername = mysqli_real_escape_string($con,$_POST['username']);
$mypassword = mysqli_real_escape_string($con,$_POST['password']);

---

Edit #2:

This is what I tested your code with, and got success, therefore I don't know what is wrong with your present code.

HTML FORM

    Username:   
    
    
 
    Password:  
     
    
  
     

MySQL

connect_errno > 0) {
      die('Connection failed [' . $conn->connect_error . ']');
    }

    $myusername = stripslashes($_POST["username"]);
    $mypassword = stripslashes($_POST["password"]);
    $myusername = mysqli_real_escape_string($conn,$_POST['username']);
    $mypassword = mysqli_real_escape_string($conn,$_POST['password']);


    echo $myusername; // echos
    echo "
";
    echo $mypassword; // echos


    $sql="SELECT * FROM register WHERE username='$myusername' and password='$mypassword'";
    $result=mysqli_query($conn,$sql);

    $count=mysqli_num_rows($result);

    if($count==1){
        echo "Yep";
    }
    else{
        echo "nope";
    }

N.B.: You should also clear out your sessions (destroy sessions), there could be something on the server caching old usernames and passwords.

Also make sure there are no spaces in your columns, that the types are correct and the lengths are long enough to hold the data. Usually VARCHAR(255) is more than enough, but is suggested when using hashed passwords generated by password_hash(), a function which you should be using when storing passwords.

See also:

• What is the difference between session_unset() and session_destroy() in PHP?

on Stack.