gskurski Posted May 11, 2010 Share Posted May 11, 2010 Hello, I'm brand new to this forum so forgive me if I'm not following protocol, but I was hoping to get some help with some of my code. I am trying to create a login page that asks for a username and password, posts it to a php file, which connects to mysql database and verifies the username and password, and then either goes to the member page, or denies access. This is what I have so far. From the login page: <form action="login.php" method="post"> Username: <input type="text" name="username" /> Password: <input type="password" name="password" /> <input type="submit" /> </form> login.php --- <?php $con = mysql_connect("host","admin","adminpass"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("database_users", $con); $result = mysql_query("SELECT `Username` FROM users WHERE Username='$_POST["username"]' AND Password='$_POST["password"]'"); if ($result='$_POST["username"]') header("Location: http://www.website.com/members.html"); else echo "Incorrect username and/or password"; ?> I changed the relevant variables to make it anonymous for the forum, but they're correct in my original source. Any help would be appreciated! Thanks, Gerry Link to comment https://forums.phpfreaks.com/topic/201391-help-with-usernamepassword-code/ Share on other sites More sharing options...
mikesta707 Posted May 11, 2010 Share Posted May 11, 2010 $result is a mysql resource, not the column information. if you want the row info, even if you only select one column, you have to use one of the mysql_fetch_XXX functions. Example with fetch_assoc .... $row = mysql_fetch_assoc($result); $username = $row['username'];//where 'username' is put the name of the column Also, you don't sanitize your inputs at all. That script is open to a SQL injection. mysql_real_escape_string() should be used on all input variables you use in queries. For example: $username = mysql_real_escape_string($_POST['username']); $query = "select .. blah blah ... WHERE USERNAME='$username' AND .. blah"; Link to comment https://forums.phpfreaks.com/topic/201391-help-with-usernamepassword-code/#findComment-1056642 Share on other sites More sharing options...
gskurski Posted May 18, 2010 Author Share Posted May 18, 2010 Thanks for your help! Link to comment https://forums.phpfreaks.com/topic/201391-help-with-usernamepassword-code/#findComment-1060168 Share on other sites More sharing options...
ignace Posted May 18, 2010 Share Posted May 18, 2010 if ($result='$_POST["username"]') Like mikesta already said $result is a result resource and the above code assigns '$_POST["username"]' (literally) to $result due to =. You most probably are looking for: $row = mysql_fetch_assoc($result); if ($row['username'] == $_POST['username']) Link to comment https://forums.phpfreaks.com/topic/201391-help-with-usernamepassword-code/#findComment-1060182 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.