0

I am working on a site where I am fetching records from database to match with the user input, if the data does not match with the details in database it must show an javascript alert box. But the problem is the javascript box is showing on body load too. Following is my code : 

//Storing the value of form's username and password into PHP variables
$username = $_POST['username'];
$password = $_POST['password'];
//This query is to check whether ther user has provided valid details
$query = mysql_query("Select * from accounts where username='$username' and     password='$password'");
$status = mysql_num_rows($query);
/**Now checking whether the number of rows returned by database are greater than 0 to  verify the login
if number of rows are greater than zero we will redirect the user to index page with a     session variable**/

if($status >0)
{
$_SESSION['username'] = $username;
?>
<meta http-equiv="refresh" content="0;url=index.php">
<?}
else
{?>
<script language="javascript">
alert('UserName or Password does not match. Please try again');
</script>
<?}?>
Denys Séguret
  • 372,613
  • 87
  • 782
  • 758
Jessica Brownie
  • 11
  • 3
  • 5
    **warning** your code is extremely vulnerable to sql injection attacks. also you should **never** store users passwords in the database. – Daniel A. White Nov 09 '12 at 12:37
  • 1
    @Jessica Brownie to complete what Daniel said, I suggest you look for password hashing (and never hash only the password, always include a salt and other parts like the username if it's constant). – Denys Séguret Nov 09 '12 at 12:38
  • Jessica, what page is this on? Can you show the form? Can you show more code that precedes this fragment? – phant0m Nov 09 '12 at 12:47
  • 2
    I think she's trying to learn using PHP inside HTML pages. One step at a time. Don't confuse her with injections before she learns it. – Taha Paksu Nov 09 '12 at 12:47
  • On another note, you are using [short tags](http://stackoverflow.com/questions/200640/are-php-short-tags-acceptable-to-use). – phant0m Nov 09 '12 at 12:54

3 Answers3

1

Replace

else

with

else if (isset($_POST['username'])) {

if you don't want the alert to appear when the user isn't trying to log in.

Denys Séguret
  • 372,613
  • 87
  • 782
  • 758
0

You need a login flag for this.

Add this to your form:

<input type="hidden" name="login_process" value="true" />

and then surround your login code with:

if($_POST["login_process"] == "true"){ 

    //your login code

}

...your page body
Taha Paksu
  • 15,371
  • 2
  • 44
  • 78
0
you miss <?php and Varible
    this Code Use then Check
       <?php 

            $username = $_POST['username'];
            $password = $_POST['password'];

            //This query is to check whether ther user has provided valid details
            $query = mysql_query("Select * from accounts where username='".$username."' and     password='**".$password."**'");
            $status = mysql_num_rows($query);

            /**Now checking whether the number of rows returned by database are greater than 0 to  verify the login if number of rows are greater than zero we will redirect the user to index page with a session variable**/

            if($status >0)
            {
               $_SESSION['username'] = $username;
            ?>
            <meta http-equiv="refresh" content="0;url=index.php">
            **<?php** }
            else
            {?>
            <script language="javascript">
            alert('UserName or Password does not match. Please try again');
            </script>
            **<?php** }?>
Ketan Patel
  • 11
  • 3