Simple login script not working

[kostakondras]

I have a form on my website which actions login.php. The login.php code is below:

 

<?php
include('includes/classes.php.inc');
session_start();
$link = new BaseClass();
$data = $link->query("SELECT * FROM logins");
$pass_accepted = false;
if($_REQUEST['username'] && $_REQUEST['password']){
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
while($row = mysql_fetch_array($data)){
if(($row['username']==$useranme)&&($row['password']==$password){
	echo 'Password correct!';
	$_SESSION['loggedin']=true;
	$pass_accepted = true;
} 
}
} else {
echo 'You did not enter a username or password!';
}
if(!$pass_accepted){ echo 'Your password is incorrect'; }
echo '<br>Please <a href="index.php">click here</a> to return to page'; 
?>

 

I have checked that my references are all correct however even when I enter the correct password it returns saying the password is incorrect. Any idea on why this could be? I am happy to answer any follow up questions.

 

Regards

[revraz]

Why are you selecting all records in the database? Select only the record where the userid and pw matches the row.

 

"SELECT * FROM logins where 'username' = $useranme and 'password' = $password"

 

You should also be hashing the password as well as sanitizing the username.

[BLaZuRE]

You've got a typo in:

if(($row['username']==$useranme)&&($row['password']==$password){

 

Also,

Why are you selecting all records in the database? Select only the record where the userid and pw matches the row.

 

"SELECT * FROM logins where 'username' = $useranme and 'password' = $password"

 

You should also be hashing the password as well as sanitizing the username.

 

Personally, I would use backticks.  Also, strings should be surrounded by single quotes when querying a database:

 

"SELECT * FROM logins where `username` = '$username' and `password` = '$password'"