When I login with the correct username and password I get an error "Wrong Username or Password" the database connection works and I think there is something wrong with the password + username check.
<?php
$host="mysql12-int.cp.hostnet.nl"; // Host name
$username="u33936_mick"; // username
$password="//password was correct"; // password
$db_name="db33936_axe"; // Database name
$tbl_name="users"; // Table name
mysql_connect("$host", "$username", "$password");
mysql_select_db("$db_name");
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql = 'SELECT * FROM `users` LIMIT 0, 30 WHERE username="$myusername" and
password="$mypassword"';
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
session_register("username");
session_register("password");
header("location:index.php");
} else {
echo "Wrong Username or Password";
}
?>
This is my form
<form name="login" method="post" action="login.php">
<fieldset id="inputs">
<input id="myusername" type="text" name="myusername"
placeholder="Username" required="">
<input id="mypassword" type="password" name="mypassword"
placeholder="Password" required="">
</fieldset>
<fieldset id="login.php">
<input type="submit" id="submit" value="Login">
</style>
</fieldset>
</form>
Foremost, I suggest you look in to transitioning away from the deprecated mysql_*
family of functions in favor of mysqli
( docs ) or PDO ( docs ), neither of which require any significant change on your part as far as code goes.
As for your specific bug, it appears that you are incorrectly concatenating the values into the query. Also, your WHERE
and LIMIT
order is incorrect and invalid SQL. Here is the correct form:
$sql = '
SELECT
*
FROM
`users`
WHERE
username="'.$myusername.'" AND
password="'.$mypassword.'"
LIMIT 0, 30
';
It is not clear what advantage you bring by using the LIMIT
statement. Either you should have one matching row, or none. If anything, I would use LIMIT 1
. If you got 30 rows back, what would you do with them!?
Converting to PDO is easy! The same query in PDO would look like this:
$host="mysql12-int.cp.hostnet.nl"; // Host name
$username="u33936_mick"; // username
$password="//password was correct"; // password
$db_name="db33936_axe"; // Database name
$pdo = new PDO('mysql:host='.$host.';dbname='.$db_name, $username, $password);
$sth = $pdo->prepare('
SELECT
*
FROM
`users`
WHERE
username=:username AND
password=:password
LIMIT 0, 30
');
$sth->execute(array('username'=>$myusername, 'password'=>$mypassword));
$user = $sth->fetch();
Note that when you use PDO with bound parameters (shown here), you DO NOT have to sanitize with mysql_real_escape_string
or addSlashes
as you have done in your code.
It is not clear where you are defining $mypassword
and $myusername
, but if you are using registered globals then you should alter your code. Get the values directly from $_POST
. addSlashes
is NOT safe, and neither are registered globals.
Documentation
mysql_*
functions - http://www.php.net/manual/en/function.mysql-query.php mysqli
- http://php.net/manual/en/book.mysqli.php A few problems:
$_POST['myusername']
etc. to get the posted variables. If you are relying on register_globals
you should turn that off as it is deprecated and poses a security risk; LIMIT
clause comes at the end in mysql; stripslashes
and escape functions, instead you should use prepared statements with bound variables in PDO / mysqli as the mysql_*
functions are deprecated and passwords can contain for example slashes. As a side-note, you should really salt and hash your password, don't store plain text passwords in your database.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.