check username and password

Question

I want check if a username and password exist in my database or not, but my code have problem and I couldn't find it.

$result=mysql_query("SELECT C_ID FROM customer WHERE C_NNAME ='".$_POST['username']."' AND C_PASS = '".$_POST['pass']."'");

if($result=='FALSE'){
    $word .= select_key('keyword', 'K_ID', 'password');
}
else 
{
    $word.= select_key('keyword', 'K_ID', 'Please Complete Feilds');    
}

Please format you question to make it readable, and also please put some indication what is supposed to happen and what actually does happen? — Preet Sangha, Jun 08 '12 at 11:50
[Bobby tables](http://bobby-tables.com/) rides again; [don't use `mysql_query`](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php). — Quentin, Jun 08 '12 at 11:52
Stop using mysql_* function and start using PDO or mysqli (you are very vulnerable to sql injection (as Quentin mentions). Also don't you mean $_POST['username'] in stead of $post['username']? — Bono, Jun 08 '12 at 11:53
Don't store passwords in your database without [salting and hashing them](http://php.net/manual/en/faq.passwords.php) — Quentin, Jun 08 '12 at 11:54
http://stackoverflow.com/questions/8110360/mysql-query-acting-weird/8110428#8110428 — blockhead, Jun 08 '12 at 11:55
Why are your passwords saved in cleartext? Use a one way hash to encrypt them — nunespascal, Jun 08 '12 at 11:55

score 2 · Answer 1 · answered Jun 08 '12 at 11:52

2

Other than your SQL injections problems, you are using the superglobal array $_POST wrong (as you are naming it $post).

Try using the correct superglobal variable name - and Google for SQL injections.

answered Jun 08 '12 at 11:52

Repox

15,015
8
54
79

You don't know that for sure, although its likely the case, judging by the question, there _is_ a possibility that such a variable exists, and holds the same data as `$_POST` – blockhead Jun 08 '12 at 11:56
@blockhead You are absolutely right - I'm making this assumption based on the rest of his code. – Repox Jun 08 '12 at 11:57

score 1 · Answer 2 · answered Jun 08 '12 at 11:58

1

$name = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['pass']);
$result = mysql_query("SELECT C_ID FROM customer WHERE C_NNAME ='$name' AND C_PASS = '$password'");

if(mysql_num_rows($result) > 0) {
   // There's a match
} else {
   // There's no match
}

Also please don't use mysql_ functions use mysqli_ or stores procedures. The code is not secure against sql injection not a good idea to use this on a public website.

answered Jun 08 '12 at 11:58

Dave_Peachy

498
3
12

Using `mysqli` functions over `mysql` functions doesn't guarantee protection against SQL Injection attacks, as you can still write unsafe SQL using `mysqli`. Using prepared statements in the `mysqli` API is one of the means of protection. – user7116 Jun 08 '12 at 14:07
I didn't say anything about the mysqli_ functions been better at preventing sql injection. I said the above code is not safe. Prepared statements are the way to go to help prevent sql injection. – Dave_Peachy Jun 08 '12 at 17:11

score 0 · Answer 3 · edited Jun 08 '12 at 13:58

0

You need to use mysql_num_rows to find out if there was any results.

edited Jun 08 '12 at 13:58

Beau Grantham

3,435
5
33
43

answered Jun 08 '12 at 12:04

blockhead

9,655
3
43
69

check username and password

3 Answers3