PHP mySQL check if username and password are in the database
Question
I want my code to check if the username and password exist in my database. It does work hardcoded, but I want to do it with a database.Right now this is what I have:
if(isset($_POST["name"], $_POST["password"]))
{
$name = $_POST["name"];
$password = $_POST["password"];
$result1 = mysql_query("SELECT password FROM Users WHERE username = '".$name."'");
$result2 = mysql_query("SELECT username FROM Users WHERE password = '".$password."'");
if($name == $result2 && $password == $result1)
{
$_SESSION["logged_in"] = true;
$_SESSION["naam"] = $name;
}
else
{
echo'The username or password are incorrect!';
}
}
The problem is in the result1/2 part I think, cause when I use the right username and password in my site it gives the incorrect message.
Oh yes and the query works too, tried it in PHPmyAdmin but then without the $name part which I replaced it with the username
4 answers
solution1
6 ACCPTED 2014-10-06 18:44:49
You can use mysql_num_rows() and combine your query - See footnotes
if(isset($_POST["name"], $_POST["password"]))
{
$name = $_POST["name"];
$password = $_POST["password"];
$result1 = mysql_query("SELECT username, password FROM Users WHERE username = '".$name."' AND password = '".$password."'");
if(mysql_num_rows($result1) > 0 )
{
$_SESSION["logged_in"] = true;
$_SESSION["naam"] = $name;
}
else
{
echo 'The username or password are incorrect!';
}
}
In order to make your present code a bit more secure, use:
$name = stripslashes($_POST["name"]);
$name = mysql_real_escape_string($_POST["name"]);
$password = stripslashes$_POST["password"]);
$password = mysql_real_escape_string($_POST["password"]);
but do look at the links below about using prepared statements and password hashing.
Footnotes:
Your present code is open to SQL injection . Use prepared statements , or PDO with prepared statements . Visit those links for more information.
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.
If you are and this is a LIVE site, you will eventually get hacked.
I recommed you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack .
mysql_* functions deprecation notice:
http://www.php.net/manual/en/intro.mysql.php
This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.
These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/ .
Documentation for MySQL can be found at » http://dev.mysql.com/doc/ .
Edit: to help out OP (do look into the links I've provided concerning password hashing).
Try replacing
if(mysql_num_rows($result1) > 0 )
{
$_SESSION["logged_in"] = true;
$_SESSION["naam"] = $name;
}
else
{
echo 'The username or password are incorrect!';
}
with:
while($row=mysql_fetch_assoc($result1))
{
$check_username=$row['username'];
$check_password=$row['password'];
}
if($username == $check_username && $password == $check_password){
echo "Matches.";
}
else{
echo "No match found.";
}
solution2
0 2019-01-26 13:51:40
Try this: (i have used mysql object oriented,if you want you can use other version)
if(isset($_POST["name"], $_POST["password"])) {
$name = $_POST["name"];
$password = $_POST["password"];
$select1 = "SELECT password FROM USERS WHERE username = '".$name."'";
$result1=$conn->query($select1);
$row1=$result1->fetch_assoc();
$select2 = "SELECT username FROM USERS WHERE password = '".$password."'";
$result2=$conn->query($select2);
$row2=$result2->fetch_assoc();
if($name == $row2["username"] && $password == $row1["password"])
{
$_SESSION["logged_in"] = true;
$_SESSION["naam"] = $name;
}
else
{
echo'The username or password are incorrect!';
}
solution3
-1 2014-10-06 18:38:16
The $name and $password are probably strings. If your queries are going through and completing properly, they will be returned as objects.
In order for that to work, you just have to remove $name == and $password == from the if() conditional!
You can also combine those queries for simplicity.
<?php
$result = mysql_query("SELECT username, password FROM Users WHERE username = '".$name."' && password = '".$password."'");
if ($result && mysql_num_rows($result) > 0) {
// Login
} else {
// Failed!
}
That will accomplish the same thing, if you don't care about knowing which one failed.
solution4
-1 2019-06-25 11:14:13
error_reporting(E_ALL);
ini_set('display_errors', 1);
session_start();
if(count($_POST)>0)
{
include'includePhp.php';
$sql="SELECT * FROM admin WHERE username='" . $_POST['username'] . "' AND password = '". $_POST['password']."'";
$result = $con->query($sql);
if ($result->num_rows > 0)
{
while($row = $result->fetch_assoc())
{
if(!empty($row) && !empty($row['username']) AND !empty($row['password']))
{
$_SESSION['username'] = $row['username'];
echo "SUCCESSFULLY LOGIN ";
header("Location: inDhanush.php");
}
else
{
echo "Try again";
}
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.