Home/ Questions/Q 8046147
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T05:43:08+00:00

I have a little issue with my login form. I think the problem is

  • 0

I have a little issue with my login form. I think the problem is mysqli code because when the code was old mysql code, the login worked correctly but since I changed it to mysqli, it has not quite worked properly.

What is suppose to happen is that the user will enter in their username and password in the login form, when the user clicks on the “Login” button, it will check in the database if the username and password is correct. If it is correct then navigate to the menu.php page else if login is incorrect, display a message stating log in is incorrect, try again.

Instead what the code below is doing is that when the user enters in their username and password and clicks on “Login” button, no matter if username and password is correct or not it just refreshes the from, it doesn’t navigate to menu.php page or display a login incorrect message.

So my question is that why is this happening, why after logging in does it not navigate the user or display the incorrect login message?

Below is the code:

 <?php

    session_start(); 

    $username="xxx";
    $password="xxx";
    $database="xxx";

    $mysqli = new mysqli("localhost", $username, $password, $database)or die( "Unable to select database");

    foreach (array('teacherusername','teacherpassword') as $varname) {
            $$varname = (isset($_POST[$varname])) ? $_POST[$varname] : '';
          }

    ?>

    <form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post" id="teachLoginForm">        
    <p>Username</p><p><input type="text" name="teacherusername" /></p>      <!-- Enter Teacher Username-->
    <p>Password</p><p><input type="password" name="teacherpassword" /></p>  <!-- Enter Teacher Password--> 
    <p><input id="loginSubmit" type="submit" value="Login" name="submit" /></p>
    </form>

    <?php
    if (isset($_POST['submit'])) {

    $query = $mysqli->prepare("
    SELECT * FROM Teacher t  
    WHERE 
    (t.TeacherUsername = '".mysqli_real_escape_string($teacherusername)."')
    AND
    (t.TeacherPassword = '".mysqli_real_escape_string($teacherpassword)."')
    ");

    $query->bind_result($Teacher);

    $num = $query->num_rows($result = $query->execute());

    $loged = false;

    while($row = $result->fetch())
      {

          if ($_POST['teacherusername'] == ($row['TeacherUsername']) && $_POST['teacherpassword'] == ($row['TeacherPassword']))
          {
              $loged = true;
          }

$_SESSION['teacherforename'] = $row['TeacherForename'];
$_SESSION['teachersurname'] = $row['TeacherSurname'];
$_SESSION['teacherusername'] = $row['TeacherUsername'];

      }

      if ($loged == true){
      header( 'Location: menu.php' ) ;
    }else{
      echo "The Username or Password that you Entered is not Valid. Try Entering it Again.";
    }


    }
     ?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This code is really bad for a number of reasons. Let me try to rewrite this for you and explain why.

    First off, you’re getting and looping through all of the rows of the database and checking for a match, you should be doing this within your SQL query.

    Second, you’re trying to send headers after output is sent. This won’t work and should throw an error if you have error reporting enabled.

    Third, you define the variables $teacherusername and $teacherpassword for no real reason, and don’t even consistently use them.

    Fourth, you’re starting a session for seemingly no reason.

    Fifth, your query is unnecessarily complicated.

    Sixth, as pointed out by Mike, you’re storing users passwords in the database as plaintext.

    I’d write this as:

    <?php
// There can be nothing (HTML, whitespace, anything) above this php tag.

if(isset($_POST['teacherusername']) && isset($_POST['teacherpassword']))
{
    // Connect to Database
    $username="xxx";
    $password="xxx";
    $database="xxx";
    $mysqli = new mysqli("localhost", $username, $password, $database)or die( "Unable to select database");

    // Build Query
    $q = sprintf('SELECT * FROM Teacher t');
    $q.= sprintf(' WHERE t.TeacherUsername = %s', mysqli_real_escape_string($_POST['teacherusername']));
    $q.= sprintf(' AND t.TeacherPassword = %s', mysqli_real_escape_string($_POST['teacherpassword']));

    // Run Query
    $query->bind_result($Teacher);
    $res = $query->execute();
    $num = $query->num_rows();

    if($num == 1)
    {
        header('Location: menu.php' );
    }
    else
    {
        session_start();        // Do you need this?
        echo "The Username or Password that you Entered is not Valid. Try Entering it Again.";
    }
}
?>
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post" id="teachLoginForm">        
<p>Username</p><p><input type="text" name="teacherusername" /></p>      <!-- Enter Teacher Username-->
<p>Password</p><p><input type="password" name="teacherpassword" /></p>  <!-- Enter Teacher Password--> 
<p><input id="loginSubmit" type="submit" value="Login" name="submit" /></p>
</form>

    Now, this doesn’t resolve the fact that you’re still storing passwords in the database as plaintext. That’s bad practice, but kind of outside the scope of today’s lesson 🙂

    Here, the PHP is run first, and either header() or session_start() is the first thing that sends output — this is important as they both need to be the first thing to send output.

    I also resolved you’re validation loop. If the query returns rows then there are matches in the database and the username and password is correct, no need to loop.

    • 0