Clever Geek Handbook

PHP, SQL, user database

I hope I formatted the code correctly. I am having trouble getting this expression to execute. I searched and looked for what this statement should look like. However, when I run it regardless of the password, if the username starts with kacey then it goes to echo "Logged in as: " . kacey;

Similarly, if I put the login in kaceyfeewaf it still goes to echo "Logged in as: " . $myuser;

This happens regardless of the password entered. The string $result['username']

must be checked for KACEY.

$sql = "SELECT * FROM $dbTable WHERE username = $myuser AND password = $mypass";
$result = mysql_query($sql);

if($result['username'] = $myuser && $result['password'] = $mypass;) 
{
    echo "Logged in as: " . $myuser;    
} else {
    echo "Fail "; 
  }
+3


source to share


3 answers


There are several problems here.

First, the variables you have in your query are strings, so they must be quoted:

WHERE username = '$myuser' AND password = '$mypass'

A or die(mysql_error())

before mysql_query()

would mean a syntax error.

Then you assign instead of comparison with

if($result['username'] = $myuser && $result['password'] = $mypass;)

use two values ==

However, you don't check if these lines exist.

You need to use mysql_num_rows()

or use a loop while

using a function to retrieve / iterate over the found results.

Here's a MySQLi example using mysqli_num_rows()

:

$conn=mysqli_connect("hostname","username","password","db");

$check_select = mysqli_query($conn, "SELECT * FROM `users` 
                                     WHERE email = '$email' AND pw='$pass'"); 

$numrows=mysqli_num_rows($check_select);

if($numrows > 0){
// do something
}

Now we do not know where these variables were assigned, and if from the form that uses the POST method with the appropriate name attributes.

i.e:.

<form action="" method="post">
<input type="text" name="username">
...
</form>

$username = $_POST['username'];

Another thing that we don't know is the MySQL API you are working with to communicate. Make sure you are actually using the same one that you want to contact while being mysql_

. Different APIs don't mix, like mysqli_

PDO or. Use the same one from the query connection.



Add a bug report to the top of your file (s) to help you find bugs.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done during staging and should never be done.

I noticed that you can store passwords in plain text. If so, then it is extremely discouraged.

I recommend you use CRYPT_BLOWFISH or PHP 5.5 password_hash()

. For PHP <5.5 use password_hash() compatibility pack

.

Here is a PDO solution pulled from one of ircmaxell's answers:

Just use the library. Jokes aside. They exist for a reason.

Don't do it yourself. If you create your own salt, YOU ARE WRONG. ... You should use a library that handles this for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And upon login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}
+4


source


You should use == instead of simple = for your if condition



+1


source


First of all remove this if stmt and create a new one where you check the number of lines. If the number of rows> 0, you have a valid login. And then print the required results from the current database query.

Edit:

You have = insted from == or ===, so stmt is always true.

+1


source






More articles:


All Articles