Issue with Mysqli Query Result

Question

I am trying to make a login form using mysqli method.I am not getting any error but in both case (Correct or Incorrect Authentication) I am getting the second part of the IF condition result! "You are not allowed!."

<?php
include_once('db.php');
$eMail = mysql_real_escape_string($_POST["eMail"]);
$passWord = mysql_real_escape_string($_POST["psword"]);
$query  = "SELECT count(*) FROM users WHERE (email='$eMail' AND pass='$passWord')";
if( $query > 0 ) {
echo "You are allowed.";
}
else{
echo "You are not allowed!.";
}
$mysqli->close();
?>

I also changed to if condition to following

if( $mysqli->query > 0 ){}

I have a table called users and two columns(email, pass) containing users Email and Password.Now can you please let me know what I am doing wrong? Thanks

Answer 1

For some reason you are using mysql and mysqli functions. This should be updated. This is also off the assumption that your variable $mysqli contains a valid mysqli database connection:

<?php
include_once('db.php');
$eMail = mysqli_real_escape_string($mysqli,$_POST["eMail"]);
$passWord = mysqli_real_escape_string($mysqli,$_POST["psword"]);
$query  = $mysqli->query("SELECT count(*) FROM users WHERE (email='$eMail' AND pass='$passWord') LIMIT 1");
if( $mysqli->num_rows($query) > 0 ) {
    echo "You are allowed.";
}else{
    echo "You are not allowed!.";
}
mysqli_free_result($query);
$mysqli->close();?>

Answer 2

The use of the mysql_* extensions has been discouraged in favor of mysqli and/or pdo functions.

Your code is failing because there's no calling of the mysql_query function, so in this line of your code:

$query > 0 

All you are doing is verifying if your String is greater than 0 and that's why you are always getting a false result.

I've made an adaptation from my object oriented login method to a (most of) procedural one.

Look below for a different approach on handling user input by binding parameters to a prepared statement:

function login($email, $password, $mysqli){
    if($login_stmt = $mysqli->prepare("SELECT Pass,Salt from Users WHERE Email = ? LIMIT 1")){
        $login_stmt->bind_param('s',$email);
        //The line above prevents SQL Injection
        $login_stmt->execute();
        $login_stmt->store_result();

        $rows = $login_stmt->num_rows;

        $login_stmt->bind_result($db_pass,$salt); //Stores the result in the $db_pass and $salt variables
        $login_stmt->fetch();
        $password = hash('sha512',$password.$salt); //This is a method I'm using to encrypt using sha512 encription
        if($rows==1){//The user exists
            if($db_pass==$password){
            //User logged in, do your stuff here
                return true;
            } else { 
                //password not correct
                return false;
            }
        } else{
            return false; //no user
        }
     } else {
         //Prepared statement failed
         return false;
    }
}

The main difference here is how the prepared statement alongside with bind_param will prevent SQL Injections on your code.

I hope it helped. Cheers

Answer 3

Your forgot to run your query. See mysql_query() .

Answer 4

firstly connect to the database then execute the query using mysql_query($query);

$result = mysql_query($query);
if (mysql_num_rows($result) > 0) {
} else {
}