I've checked all the variables. All of them contain the correct data. However, when I call mysql_num_rows() it returns NULL, instead of 1. So my login script says Wrong user and password, when they actually are correct.
<?php
ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);
ob_start();
$host="mywebsite.it"; // Host name
$username="whateveruser"; // Mysql username
$password="whateverpassword"; // Mysql password
$db_name="whateverdb"; // Database name
$tbl_name="whatevertable"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
print "$db_name\n";/*These is correct*/
print "$tbl_name\n";/*These is correct*/
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
/*To protect MySQL injection*/
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
print "\n$result"; /*These is correct*/
// Mysql_num_row is counting table row
$count = mysql_num_rows($result); /*This isn't actually returning 1*/
echo '<pre>'; var_dump($count); echo '</pre>';
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("Location:Target.php");
}
else {
echo "Wrong Username or Password"; /*my script always goes here*/
}
ob_end_flush();
?>
This looks like it should work. However, please discontinue the use of the mysql_* functions. They are deprecated and there are many security issues.
Instead, I highly recommend that you use a library that supports native encoding like PDO. ( http://www.php.net/manual/en/class.pdo.php ) Specifically, I recommend you use prepared statements. ( http://www.php.net/manual/en/pdo.prepare.php )
I have provided a quick example below.
Here is a quick connection function:
<?php
function connectToDb($dbms, $host, $port, $username, $password) {
$dsn = sprintf('%s:host=%s;port=%d', $dbms, $host, $port);
$attributes = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
);
// Wrap PDO instantiation in a try->catch so credentials don't end up in
// stack traces
try {
$connection = new PDO(
$dsn, $username, $password, $attributes
);
} catch (Exception $exception) {
throw new Exception($exception->getMessage());
}
return $connection;
}
Here is a quick example for how to use it:
// Connect to the database
$connection = connectToDb(
'mysql', 'localhost', '3306', 'bryan', ''
);
// Prepare the statement with parameters we can bind user input to
// These parameters will be properyly encoded to prevent SQL injection
$statement = $connection->prepare(
'SELECT user,password FROM mysql.user WHERE user = :username'
);
// Perform the search with the user-supplied data
// We'll pretend here with $usernameSearch
$usernameSearch = 'bryan';
$statement->execute(
array(':username' => $usernameSearch)
);
// Get the result set row count
$rowCount = $statement->rowCount();
// Do What you need to do
if ($rowCount > 0) {
// Fetch a row
$result = $statement->fetch(PDO::FETCH_ASSOC);
printf("Found a record for %s!\n", $result['user']);
} else {
echo "No record found!\n";
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.