Simple PHP SQL login troubleshooting

I am trying to create a very basic PHP login by retrieving a registered username/password from a database. This is not ever going live and I am aware there is zero input validation. All I'm trying to do is select data from a database in a login.

Here is the login form on index.html:

    <table width="250" border="0" align="center" cellpadding="0" cellspacing="1"    bgcolor="#CCCCCC">
    <tr>
    <form name="form1" method="post" action="checklogin.php">
    <td>
    <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
    <tr>
    <td colspan="3"><strong>Member Login </strong></td>
    </tr>
    <tr>
    <td width="78">Username</td>
    <td width="6">:</td>
    <td width="294"><input name="Username" type="text" id="Username"></td>
    </tr>
    <tr>
    <td>Password</td>
    <td>:</td>
    <td><input name="Password" type="text" id="Password"></td>
    </tr>
    <tr>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
    <td><input type="submit" name="Submit" value="Login"></td>
    </tr>
    </table>
    </td>
    </form>
    </tr>
    </table>

And here is the PHP checklogin.php:

   <?php

    $sql_connection = mysqli_connect ("localhost:8889","root","root","derek_website_tmp");

    if (mysqli_connect_errno())
{
 echo "failed to connect" . mysqli_connect_error();
}

    $Username=$_POST['Username'];
    $Password=$_POST['Password'];

    $sql = "SELECT * FROM $Members WHERE Username = '$Username' and Password = '$Password'"
    $result=mysqli_query($sql);

    $count = mysql_num_rows($result);

    if ($count==1) {
    $_SESSION['Username'] = $Username;
    $_SESSION['Password'] = $Password;
    header('location:login_success.php');
    }

    else {
    echo 'Wrong Username or Password';
    }

    if (!mysqli_query($sql_connection))
{
die('Error : ' . mysqli_error($sql_connection));
}

    mysqli_close ($sql_connection);

    ?>

When I try this I get an error retrieving checklogin.php Any help would be greatly appreciated.


Firstly, handling the errors during the development is very important so we check if our post are present, we check if we connected to the database, we check if our query passed and is OK to run, we check the parameters we are giving to the query and we finally execute the query.

After that you can use bind_result to name a variable to receive the fields from your query, like I have done.

Notice how on my query I am using ? that is a prepared statement that we define using the bind_param this is to avoid SQL injection, in your current code, SQL Injection is still possible since you're not sanitizing your variables.

Another mistake I believe you're doing is storing passwords as plain text that is VERY VERY WRONG, you should always encrypt the password to protect your users and yourself. That's why I do not include the password on my MySQL query, I first use only the user, if the user is found I then use the password he posted to match the retrieved password from the database, in this case I am using bcrypt to do the task which is a very secure encryption library.

See here how to use bcrypt.

Only after I see that the password is valid I am then placing the data into the session and redirecting the user.

Besides all the errors I have pointed out at the bottom of my answer, here is how I would write your code.

<?php
session_start();
include_once('bcrypt.php');
// Your database info
$db_host = '';
$db_user = '';
$db_pass = '';
$db_name = '';

if (!isset($_POST['Username']))
{
    echo 'Fill in the username...';
    exit;
}

if (!isset($_POST['Password']))
{
    echo 'Fill in your password...';
    exit;
}

$con = new mysqli($db_host, $db_user, $db_pass, $db_name);
if ($con->connect_error)
{
    die('Connect Error (' . $con->connect_errno . ') ' . $con->connect_error);
}

$sql = "SELECT Username, Password FROM `Members` WHERE Username = ?";
if (!$result = $con->prepare($sql))
{
    die('Query failed: (' . $con->errno . ') ' . $con->error);
}

if (!$result->bind_param('s', $_POST['Username']))
{
    die('Binding parameters failed: (' . $result->errno . ') ' . $result->error);
}

if (!$result->execute())
{
    die('Execute failed: (' . $result->errno . ') ' . $result->error);
}

$result->store_result();
if ($result->num_rows == 0)
{
    die('No username found...');
}

$result->bind_result($db_username, $db_password);
$result->fetch();
$result->close();
$con->close();

$bcrypt = new Bcrypt(15);
if ($bcrypt->verify($password, $db_password))
{
    $_SESSION['Username'] = $db_username;
    header('location:login_success.php');
    exit;
}
else
{
    echo 'Wrong Username or Password';
}

NOTE: The above code is merely an example and was not tested, if you notice any error with it let me know.

Some of the errors I have noticed on the code you have posted:

You're missing the closing ; over here:

$sql = "SELECT * FROM $Members WHERE Username = '$Username' and Password = '$Password'"

Also on your query you have $Members but you have no $Members variable defined anywhere in your code, did you perhaps meant to say Members instead, as in:

$sql = "SELECT * FROM `Members` WHERE Username = '$Username' and Password = '$Password'";

Shouldn't this

$count = mysql_num_rows($result);

Be

$count = mysqli_num_rows($result);‌

And

$result=mysqli_query($sql); 

Be

$result=mysqli_query($sql_connection, $sql);

You have no query on the below part of the mysqli_query

if (!mysqli_query($sql_connection))