Login: email-password match w/ PHP and MySQL

Question

** UPDATE ** Wonderful help, and solved this by simply omitting the $-sign in

        $dbusername = $row['$username_login'];
        $dbpassword = $row['$password_login'];

to their column names.

        $dbusername = $row['username'];
        $dbpassword = $row['password'];

---

I am currently playing around with PHP and MySQL, following some tutorials on making a simple, social network. I have run into trouble when trying to check if a password matches the username.

Code for the login form:

<form action="login.php" method="POST">
<input type="text" size="25" name="user_login" id="user_login" placeholder="Username" />
<input type="password" size="25" name="password_login" id="password_login" placeholder="Password" /> <br />
<input type="submit" name="login" id="button" value="Login" />
</form>

Snippet of my PHP code for verifying the data (login.php):

$username_login = strip_tags($_POST["user_login"]);
$password_login = strip_tags($_POST["password_login"]);

if ($login) {
if ($username_login && $password_login) {
    $connect = mysql_connect("localhost", "root", "") or die("Error connecting");
    mysql_select_db("mono_social") or die("Could not find db");

    $query2 = mysql_query("SELECT * FROM users WHERE username='$username_login'");
    $numrow = mysql_num_rows($query2);

    if ($numrow != 0) {
        // LOGIN code
        while ($row = mysql_fetch_assoc($query2)) {
            $dbusername = $row['$username_login'];
            $dbpassword = $row['$password_login'];
        }

        // Check to see if username and password match
        if ($username_login==$dbusername && $password_login==$dbpassword) {
            echo "You are in";
        }
        else {
            echo "Sorry $username_login. Incorrect password!";
        }
    }

I have also included code for checking whether any of the fields have been left blank, or if the username does not exist. The code seems to be working well for the aforementioned tests (blank fields and invalid usernames), but NOT when I attempt to login with both a valid username and password.

Any help on this would be highly appreciated :)

Answer 1

Probably your columns are not called '$username_login' and '$password_login'.

$dbusername = $row['$username_login'];
$dbpassword = $row['$password_login'];

Maybe you just have to omit the $ (in case your columns' names are 'username_login' and 'password_login')

Answer 2

The answer above resolves your problem; but also, take note of the following when using PHP to avoid future headaches:

• Do NOT put a single quote around your database, table, and column names. You can use their literal names or variables containing the literal names. 'username'='$username' is wrong; username='$username' is right.
• If your database, table, or column name contain spaces, wrap a tick mark ` (the character is located on the left part of a US-region keyboard, infront of the key for !) around the name. user column is wrong; `user column` is right.
• Wrap your string values with single quotes '; e.g. username='$username'.
• Values for columns whose datatypes are numbers do not need single quotes around them; e.g. userid=2

Security Concerns

Since you are just starting with the language, it's best to start right.

• Do not use mysql_* functions anymore; it is not safe and it has been deprecated. Instead, use PDO. It's easier and safer to use.
• Never use root as your database user, even during development.
• On production or development systems, all database users MUST have/use passwords. Prevent authorized access.

Lastly, if an answer has helped you, accept it. It allows others to help you in the future.

Hope this helps.