gskurski Posted May 11, 2010 Share Posted May 11, 2010 Hello, I'm brand new to this forum so forgive me if I'm not following protocol, but I was hoping to get some help with some of my code. I am trying to create a login page that asks for a username and password, posts it to a php file, which connects to mysql database and verifies the username and password, and then either goes to the member page, or denies access. This is what I have so far. From the login page: <form action="login.php" method="post"> Username: <input type="text" name="username" /> Password: <input type="password" name="password" /> <input type="submit" /> </form> login.php --- <?php $con = mysql_connect("host","admin","adminpass"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("database_users", $con); $result = mysql_query("SELECT `Username` FROM users WHERE Username='$_POST["username"]' AND Password='$_POST["password"]'"); if ($result='$_POST["username"]') header("Location: http://www.website.com/members.html"); else echo "Incorrect username and/or password"; ?> I changed the relevant variables to make it anonymous for the forum, but they're correct in my original source. Any help would be appreciated! Thanks, Gerry Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted May 11, 2010 Share Posted May 11, 2010 $result is a mysql resource, not the column information. if you want the row info, even if you only select one column, you have to use one of the mysql_fetch_XXX functions. Example with fetch_assoc .... $row = mysql_fetch_assoc($result); $username = $row['username'];//where 'username' is put the name of the column Also, you don't sanitize your inputs at all. That script is open to a SQL injection. mysql_real_escape_string() should be used on all input variables you use in queries. For example: $username = mysql_real_escape_string($_POST['username']); $query = "select .. blah blah ... WHERE USERNAME='$username' AND .. blah"; Quote Link to comment Share on other sites More sharing options...
gskurski Posted May 18, 2010 Author Share Posted May 18, 2010 Thanks for your help! Quote Link to comment Share on other sites More sharing options...
ignace Posted May 18, 2010 Share Posted May 18, 2010 if ($result='$_POST["username"]') Like mikesta already said $result is a result resource and the above code assigns '$_POST["username"]' (literally) to $result due to =. You most probably are looking for: $row = mysql_fetch_assoc($result); if ($row['username'] == $_POST['username']) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.