I am trying to make a login form using mysqli method.I am not getting any error but in both case (Correct or Incorrect Authentication) I am getting the second part of the IF condition result! "You are not allowed!."
<?php
include_once('db.php');
$eMail = mysql_real_escape_string($_POST["eMail"]);
$passWord = mysql_real_escape_string($_POST["psword"]);
$query = "SELECT count(*) FROM users WHERE (email='$eMail' AND pass='$passWord')";
if( $query > 0 ) {
echo "You are allowed.";
}
else{
echo "You are not allowed!.";
}
$mysqli->close();
?>
I also changed to if condition to following
if( $mysqli->query > 0 ){}
I have a table called users and two columns(email, pass) containing users Email and Password.Now can you please let me know what I am doing wrong? Thanks
For some reason you are using mysql and mysqli functions. This should be updated. This is also off the assumption that your variable $mysqli
contains a valid mysqli database connection:
<?php
include_once('db.php');
$eMail = mysqli_real_escape_string($mysqli,$_POST["eMail"]);
$passWord = mysqli_real_escape_string($mysqli,$_POST["psword"]);
$query = $mysqli->query("SELECT count(*) FROM users WHERE (email='$eMail' AND pass='$passWord') LIMIT 1");
if( $mysqli->num_rows($query) > 0 ) {
echo "You are allowed.";
}else{
echo "You are not allowed!.";
}
mysqli_free_result($query);
$mysqli->close();?>
The use of the mysql_* extensions has been discouraged in favor of mysqli
and/or pdo
functions.
Your code is failing because there's no calling of the mysql_query
function, so in this line of your code:
$query > 0
All you are doing is verifying if your String is greater than 0 and that's why you are always getting a false result.
I've made an adaptation from my object oriented login method to a (most of) procedural one.
Look below for a different approach on handling user input by binding parameters to a prepared statement:
function login($email, $password, $mysqli){
if($login_stmt = $mysqli->prepare("SELECT Pass,Salt from Users WHERE Email = ? LIMIT 1")){
$login_stmt->bind_param('s',$email);
//The line above prevents SQL Injection
$login_stmt->execute();
$login_stmt->store_result();
$rows = $login_stmt->num_rows;
$login_stmt->bind_result($db_pass,$salt); //Stores the result in the $db_pass and $salt variables
$login_stmt->fetch();
$password = hash('sha512',$password.$salt); //This is a method I'm using to encrypt using sha512 encription
if($rows==1){//The user exists
if($db_pass==$password){
//User logged in, do your stuff here
return true;
} else {
//password not correct
return false;
}
} else{
return false; //no user
}
} else {
//Prepared statement failed
return false;
}
}
The main difference here is how the prepared statement alongside with bind_param
will prevent SQL Injections on your code.
I hope it helped. Cheers
Your forgot to run your query. See mysql_query()
.
firstly connect to the database then execute the query using mysql_query($query);
$result = mysql_query($query);
if (mysql_num_rows($result) > 0) {
} else {
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.