I am trying to access my html website on localhost with xampp. The php file is stored in htdocs long with the html file. However i still seem to be getting this error. My database name is check and table name is loginform.
<?php
$host="localhost";
$user="root";
$password="";
$dbname="check";
//create connection
$conn=mysqli_connect('$host', '$user', '$password', '$dbname');
//check connection
if (mysqli_connect_errno()) {
die('could not connect:'.mysqli_connect_error());
# code...
}
//accept values
if (isset($_POST['username'])) {
$uname=$_POST['username'];
$password=$_POST['password'];
$sql="select * from loginform where $uname='".$user."' AND $password='".$pass."' limit 1";
$result=mysqli_query($sql);
//check query
if (mysqli_num_rows($result)==1) {
echo "You have Successfully logged in";
exit();
}
else{
echo "Invalid credentials";
exit();
}
mysqli_close($conn);
}
i cannot access your pc to figure out where the current location but i will talk about your code your login form is vuln [ sql injection ] you should use mysqli_real_escape_string(); or use php pdo more secure ( use bindParam )
for ex:
# mysql connection
$con = new PDO("mysql:host=localhost;dbname=database", 'username', 'password', array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8"));
$user = $_POST['username'];
$pass = $_POST['password'];
# login
$query = "SELECT * FROM `tableUsers` WHERE `username`=? AND `password`=?";
$run = $con->prepare($query);
$run->bindParam(1, $user, PDO::PARAM_STR);
$run->bindParam(2, $pass, PDO::PARAM_STR);
$run->execute();
$count = $run->RowCount();
if($count > 0) { // or if ($count === 1)
// login complete the $_SESSION
} else {
// wrong password
}
this code prevent SQLi but still XSS
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.