Unable to login with correct username and password php and myql
Question
Hello every one i'm new to php. I was just trying to create a multi users login system. In the first approach i get what is required but whenever i try to login with wrong username or password. else statement echos multiple times. but in the second approach i get the last statement executed every time i try to login even with correct username and password.
This is the first approach
if(isset($_POST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * from `users`;";
if(count(fetchAll($query))>0){
foreach(fetchAll($query) as $row){
if($username==$row["username"]&&$password==$row["password"]&&$row["type"]=="admin"){
echo "Admin";
}elseif($username==$row["username"]&&$password==$row["password"]&&$row["type"]=="teacher"){
echo "Teacher";
}elseif($username==$row["username"]&&$password==$row["password"]&&$row["type"]=="student"){
echo "Student";
}else{
echo "Username or password not found!";
}
}
}else{
echo "<script>alert('Unknown Error')</script>";
}
}
and this is second one
if(isset($_POST['signin'])){
$username = $_POST['username'];
$password = $_POST['password'];
$admin_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'admin';";
$teacher_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'teacher';";
$student_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'student';";
if(performQuery($admin_query==1)){
echo "Admin";
}elseif(performQuery($teacher_query==1)){
echo "Teacher";
}elseif(performQuery($student_query==1)){
echo "Student";
}else{
echo "No user found ";
}
}
The performQuery function is
function performQuery($query){
$con = new PDO(DBINFO,DBUSER,DBPASS);
$stmt = $con->prepare($query);
if($stmt->execute()){
return true;
}else{
return false;
}
}
2 answers
solution1
0 2020-02-04 06:46:35
<?php
$con = mysqli_connect('');// taking as your connection query
$username = "whatever";//taking as user input
$password = "Password";//taking as user input
//By using direct data in SQL login query you are subject to SQL injection. Please Make sure to use prepared statements.
$admin_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'admin';";
$teacher_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'teacher';";
$student_query = "SELECT * from `users` where username = '$username' and password = '$password' and type = 'student';";
// by using oop approch
if($con->query($admin_query)){
echo "Admin";
}elseif($con->query($teacher_query)){
echo "Teacher";
}elseif($con->query($student_query)){
echo "Student";
}else{
echo "No user found ";
}
// by using procedural approch
if(mysqli_query($con,$admin_query)){
echo "Admin";
}elseif(mysqli_query($con,$teacher_query)){
echo "Teacher";
}elseif(mysqli_query($con,$student_query)){
echo "Student";
}else{
echo "No user found ";
}
?>
Note: Use a prepared statement to avoid SQL injection
solution2
0 2020-02-04 06:46:42
First, when you are using database query try to bind the parameters instead of concatenation to your query because it will lead to SQL Injection
Now as your code state that your are passing boolean to your performQuery function instead of query
performQuery($admin_query==1) will lead to performQuery(false) as $admin_query is not equal to 1. That's why your query is failing.
If you print the $query in your function you will find it out.
So, you have to remove that check inside the param. The code will be like this
if(performQuery($admin_query)){
echo "Admin";
}elseif(performQuery($teacher_query)){
echo "Teacher";
}elseif(performQuery($student_query)){
echo "Student";
}else{
echo "No user found ";
}
function performQuery($query){
try {
$con = new PDO(DBINFO,DBUSER,DBPASS);
$stmt = $con->prepare($query);
if($stmt->execute()){
if($stm->fetchColumn()){
return true;
}
}else{
echo 'Error -> ';
var_dump($st->errorInfo());
echo '<br/>Query -> ';
var_dump($query);
}
catch(Exception $e) {
echo 'Exception -> ';
var_dump($e->getMessage());
echo '<br/>Query -> ';
var_dump($query);
}
return false;
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.