Jump to content

Recommended Posts

hello every1

 

I am creating a login script using pdo.. The problem i;m facing is that inspite of giving the right login details, it shows "wrong username / password."

 

The pdo code is shown below

function login_members($uname,$pwd,$type)
    {
        $q = $this->connect()->prepare("SELECT * FROM members WHERE username='?' AND password='?' AND type='?' LIMIT 1");
              $q->bindParam(1, $username,PDO::PARAM_STR);
              $q->bindParam(2, $pwd,PDO::PARAM_STR);
              $q->bindParam(3, $type,PDO::PARAM_STR);
              
              if($q->execute())
              {
                  $row = $q->fetch(PDO::FETCH_ASSOC);
                  if(($row['username']===$uname) && ($row['password']===$pwd))
                  {
                      return TRUE;
                  }
                  else
                  {
                      return FALSE;
                  }                     
              }
              else
              {
                  return FALSE;
              }
    }

in the main page

if($pdo->login_members($uname,$pwd,$type))
   {
        echo "<div class='correct_message' style='display:block'>You have been successfully logged in...</div>";
   }
else
   {
      echo "<div class='error_message' style='display:block'>wrong username / password</div>";
   }

Any help will be greatly appreciated....

 

 

Link to comment
https://forums.phpfreaks.com/topic/289269-cant-login-using-pdo/
Share on other sites

You mustn't enclose the parameters in quotes. In the query above, there are actually no parameters at all. You're literally asking for the user whose name, password and type is a question mark.

 

There are two other things:

  • Why do you again check the username and password after you've retrieved the row? You know the values already, because you've selected the row based on the username and password.
  • You really cannot store passwords as plaintext, even if this is just a school project, a hobby site or whatever.

That line:

$q = $this->connect()->prepare("SELECT * FROM members WHERE username='?' AND password='?' AND type='?' LIMIT 1");

Should be

$q = $this->connect()->prepare("SELECT * FROM members WHERE username=? AND password=? AND type=? LIMIT 1");

You are calling the bind parameter like this:

$q->bindParam(1, $username,PDO::PARAM_STR);

And you are telling PDO that your parameter is a string (PARAM_STR). The bindParam function is intelligent enough to know that it should add quotes around the value. For example, if it was a number, it won't add quotes in the query.

 

 

To check if the rows exists, can't you use something like this?

$rows = $result->fetch(PDO::FETCH_NUM);
if($rows == 1) {
// one row was returned, the credentials are OK
} else {
// credentials not ok (or 2 or more rows with the same credentials, which would be weird)
}
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.