-3

I am trying to pass a parameter to a php function. But nothing is happening, I mean the code does not pass the paramater in index.php to newPHPClass.php and is it possible to call a function in the form action? here is my code.

index.php

  <?php include '../con_db/connect.php'; ?>
    <?php include '../class/newPHPClass.php'; ?>

<form action="index.php" method="post">
        <label>Username:</label><input type="text" name="username"/><br/>
        <label>Password:</label><input type="text" name="password"/><br/>
        <input type="submit" value="Submit" name="submit"/>
    </form>

    <?php
    if (isset($_POST['submit'])) {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $check = new newPHPClass();
        $check->checkLogin($username, $password);
        }
    ?>

and the class

include '../con_db/connect.php';

class newPHPClass {

    public function checkLogin($username, $password) {
        $select = mysql_query('SELECT * FROM users WHERE username = "' . $username . '" AND password = "' . $password . '"');
        if (count($select) > 0) {
            echo "true";
            return true; 
        } else {
            echo "false";
            return false;   
        }
    }
Catherine
  • 45
  • 8

2 Answers2

1

your INSERT syntax is incorrect,

$select = mysql_query("INSERT FROM users (username, password)
                          VALUES ('$username', '$password')");

you current query is vulnerable with SQL Injection, please take time to read the article below,

Best way to prevent SQL injection in PHP?

UPDATE 1

$sql = "SELECT COUNT(*) totalCount 
        FROM users
        WHERE username = '$username' AND password = '$password'");
$result = mysql_query($sql, $link) or die(mysql_error());
$row = mysql_fetch_assoc($result);
if($row["totalCount"] > 0)
{
    echo "true";
    return true; 
} 
else 
{
     echo "false";
     return false;   
}
Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • sorry, my bad. Should be SELECT. Because when a user login. It will check if the user and password does exist in the database – Catherine Oct 09 '12 at 03:22
0

The syntax in the class is completely messed up. First off why are you calling INSERT to check a login. Second it's INSERT INTO even if it were an INSERT you needed here, which it isn't. 

$select = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
if($select->num_rows()==1){
        echo "true";
        return true; 
    } else {
        echo "false";
        return false;   
    }
}

Never check for > 0 on logins, you only EVER want one row returned. Also putting the query inside " instead of ' means that it can read the variables without concatenating the query the way you did it.

Rick Calder
  • 18,310
  • 3
  • 24
  • 41