subhomoy Posted June 24, 2014 Share Posted June 24, 2014 hello every1 I am creating a login script using pdo.. The problem i;m facing is that inspite of giving the right login details, it shows "wrong username / password." The pdo code is shown below function login_members($uname,$pwd,$type) { $q = $this->connect()->prepare("SELECT * FROM members WHERE username='?' AND password='?' AND type='?' LIMIT 1"); $q->bindParam(1, $username,PDO::PARAM_STR); $q->bindParam(2, $pwd,PDO::PARAM_STR); $q->bindParam(3, $type,PDO::PARAM_STR); if($q->execute()) { $row = $q->fetch(PDO::FETCH_ASSOC); if(($row['username']===$uname) && ($row['password']===$pwd)) { return TRUE; } else { return FALSE; } } else { return FALSE; } } in the main page if($pdo->login_members($uname,$pwd,$type)) { echo "<div class='correct_message' style='display:block'>You have been successfully logged in...</div>"; } else { echo "<div class='error_message' style='display:block'>wrong username / password</div>"; } Any help will be greatly appreciated.... Quote Link to comment https://forums.phpfreaks.com/topic/289269-cant-login-using-pdo/ Share on other sites More sharing options...
Jacques1 Posted June 24, 2014 Share Posted June 24, 2014 You mustn't enclose the parameters in quotes. In the query above, there are actually no parameters at all. You're literally asking for the user whose name, password and type is a question mark. There are two other things: Why do you again check the username and password after you've retrieved the row? You know the values already, because you've selected the row based on the username and password. You really cannot store passwords as plaintext, even if this is just a school project, a hobby site or whatever. Quote Link to comment https://forums.phpfreaks.com/topic/289269-cant-login-using-pdo/#findComment-1483123 Share on other sites More sharing options...
mogosselin Posted June 24, 2014 Share Posted June 24, 2014 That line: $q = $this->connect()->prepare("SELECT * FROM members WHERE username='?' AND password='?' AND type='?' LIMIT 1"); Should be $q = $this->connect()->prepare("SELECT * FROM members WHERE username=? AND password=? AND type=? LIMIT 1"); You are calling the bind parameter like this: $q->bindParam(1, $username,PDO::PARAM_STR); And you are telling PDO that your parameter is a string (PARAM_STR). The bindParam function is intelligent enough to know that it should add quotes around the value. For example, if it was a number, it won't add quotes in the query. To check if the rows exists, can't you use something like this? $rows = $result->fetch(PDO::FETCH_NUM); if($rows == 1) { // one row was returned, the credentials are OK } else { // credentials not ok (or 2 or more rows with the same credentials, which would be weird) } Quote Link to comment https://forums.phpfreaks.com/topic/289269-cant-login-using-pdo/#findComment-1483145 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.