stackoom
  简体   繁体   中英

user login with php and mysql database

 原文  2013-03-02 21:36:19       php/ mysql/ login

Question

I'm new to mysql and php.

Been working on creating a database with a table for users.

I've managed to successfully add users to the database, and their passwords with md5(yea i know it's not secure), it's not going to be launched online.

My problem is, how do I log a user in, based on their correct username and password.

here is my code

My logic is taht after the query runs, it will return either true or false.

If true, then display successful login, else unsuccessful.

however, even if i input a correct username and password, i still get a unsuccessful login message

i checked the mysql database, and the uesrname is in there correctly

ideas? 

if(!empty($_POST['userLog']) && !empty($_POST['passLog']))
{
    //set the username and password variables from the form
    $username = $_POST['userLog'];
    $password = $_POST['passLog'];

    //create sql string to retrieve the string from the database table "users"
    $sql = "SELECT * FROM `users` WHERE userName = '$username' AND password = md5('$password')";
    $result = mysql_query($sql);
        if ($result == true) {
            $return = "<font color=#008000><Center><b>**Successful Login**</b></Center></font>";
        } else {
            $return = "<font color=#ff0000><Center><b>**Failed Login**</b></Center></font>";
        }
        print($return);
}

4 answers

solution1
 1 ACCPTED  2013-03-02 21:41:59

I'm not entirely sure your SQL will run, but just to be on the safe side.

Change it so that 

$password_hash = md5($password);

$sql = "SELECT * FROM `users` WHERE userName = '$username' AND password = '$password_hash'";

And for your original question 

if(mysql_num_rows($result) == 1) { //If the SQL returns one row, that means that a user was found with `userName = $username` and `password = md5($password)`
    // Login
} else {
    // Authentication Failed
}

Also, consider using MySQLi instead of MySQL since it has been depreciated.

solution2
 0  2013-03-02 21:42:26

First of all, protect your code against SQL injections .

Then, make sure that the password in the DB is really hashed with md5() function. Make sure you form uses POST method to pass the data to the script.

Try the following code: 

if(!empty($_POST['userLog']) && !empty($_POST['passLog']))
{
    //set the username and password variables from the form
    $username = $_POST['userLog'];
    $password = $_POST['passLog'];

    //create sql string to retrieve the string from the database table "users"
    $sql = "SELECT * FROM `users` WHERE userName = '". addslashes($username) ."' AND password = '". md5('$password')."'";
    $result = mysql_query($sql);
        if (mysql_num_rows($result)>0) {
            $return = "<font color=#008000><Center><b>**Successful Login**</b></Center></font>";
        } else {
            $return = "<font color=#ff0000><Center><b>**Failed Login**</b></Center></font>";
        }
        print($return);
}

solution3
 0  2013-03-02 21:43:04

mysql_query doesn't return TRUE or FALSE. Per the docs ( http://php.net/manual/en/function.mysql-query.php ), it returns a resource if successful, or FALSE if there is an error. You need to evaluate the resource to see if it's valid. 

if(!empty($_POST['userLog']) && !empty($_POST['passLog']))
{
    //set the username and password variables from the form
    $username = $_POST['userLog'];
    $password = $_POST['passLog'];

    //create sql string to retrieve the string from the database table "users"
    $sql = "SELECT * FROM `users` WHERE userName = '$username' AND password = md5('$password')";
    $result = mysql_query($sql);
    if ($result && $row = mysql_fetch_assoc($result)) {
        $return = "<font color=#008000><Center><b>**Successful Login**</b></Center></font>";
    } else {
        $return = "<font color=#ff0000><Center><b>**Failed Login**</b></Center></font>";
    }
    print($return);
}

solution4
 0  2013-03-02 21:47:37

As mentioned in my comment, the issue seems to be your sql string. Instead of hashing, you are putting the method into the string. So change 

$sql = "SELECT * FROM `users` WHERE userName = '$username' AND password = md5('$password')";

to 

$sql = "SELECT * FROM `users` WHERE userName ='$username' AND password = '".md5('$password')."'";

Your result will not be true or false, but since php treats any value not a 0 as true, it will work as is. Also, it is strongly recommended to escape all data going into your sql string to prevent sql injection. Another note: mysql is being deprecated, so now would be a great time to move to something like mysqli.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question MySQL/PHP - Database User Login Conversion php show last user login timestamp from MySQL database AngularJS PHP MYSQL User Login Admin and User PHP Database login PHP , mysql - Register & Login- User login php mysql user login show user exists PHP login.php user not working at mysql User login system with mySQL database with Angular JS? User privileges with mysql database and php how to store logout time of user in database for each login using MySQL and PHP?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM