PHP, SQL, user database
I hope I formatted the code correctly. I am having trouble getting this expression to execute. I searched and looked for what this statement should look like. However, when I run it regardless of the password, if the username starts with kacey then it goes to echo "Logged in as: " . kacey;
Similarly, if I put the login in kaceyfeewaf it still goes to echo "Logged in as: " . $myuser;
This happens regardless of the password entered. The string $result['username']
must be checked for KACEY.
$sql = "SELECT * FROM $dbTable WHERE username = $myuser AND password = $mypass";
$result = mysql_query($sql);
if($result['username'] = $myuser && $result['password'] = $mypass;)
{
echo "Logged in as: " . $myuser;
} else {
echo "Fail ";
}
source to share
There are several problems here.
First, the variables you have in your query are strings, so they must be quoted:
WHERE username = '$myuser' AND password = '$mypass'
A or die(mysql_error())
before mysql_query()
would mean a syntax error.
Then you assign instead of comparison with
if($result['username'] = $myuser && $result['password'] = $mypass;)
use two values ==
However, you don't check if these lines exist.
You need to use mysql_num_rows()
or use a loop while
using a function to retrieve / iterate over the found results.
Here's a MySQLi example using mysqli_num_rows()
:
$conn=mysqli_connect("hostname","username","password","db");
$check_select = mysqli_query($conn, "SELECT * FROM `users`
WHERE email = '$email' AND pw='$pass'");
$numrows=mysqli_num_rows($check_select);
if($numrows > 0){
// do something
}
Now we do not know where these variables were assigned, and if from the form that uses the POST method with the appropriate name attributes.
i.e:.
<form action="" method="post">
<input type="text" name="username">
...
</form>
$username = $_POST['username'];
Another thing that we don't know is the MySQL API you are working with to communicate. Make sure you are actually using the same one that you want to contact while being mysql_
. Different APIs don't mix, like mysqli_
PDO or. Use the same one from the query connection.
Add a bug report to the top of your file (s) to help you find bugs.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Displaying errors should only be done during staging and should never be done.
I noticed that you can store passwords in plain text. If so, then it is extremely discouraged.
I recommend you use CRYPT_BLOWFISH or PHP 5.5 password_hash()
. For PHP <5.5 use password_hash() compatibility pack
.
Here is a PDO solution pulled from one of ircmaxell's answers:
Just use the library. Jokes aside. They exist for a reason.
- PHP 5.5+: use
password_hash()
- PHP 5.3.7+: use
password-compat
(compatibility package for above) - Everyone else: use phpass
Don't do it yourself. If you create your own salt, YOU ARE WRONG. ... You should use a library that handles this for you.
$dbh = new PDO(...);
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);
And upon login:
$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
if (password_verify($_POST['password'], $users[0]->password) {
// valid login
} else {
// invalid password
}
} else {
// invalid username
}
source to share