Why won't my SELECT * FROM work?

Question

Here is the code for my entire index page, which includes a register and a login. For some reason, the register part works fine, and it is inserting correctly. Yet, the login part is not working, as whenever I call the $queryrun(mysql_query($query)) on the SELECT * FROM, it does not work.

<?php

require('includes/dbconnect.php');

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$password = md5($password);

$logemail = $_POST['logemail'];
$logpassword = $_POST['logpassword'];
$logpassword = md5($logpassword);

// Register Script

if (isset($firstname) && !empty($firstname) && !empty($lastname) && !empty($email) &&   !empty($password)) {
$query = "INSERT INTO users VALUES('', '$firstname', '$lastname', '$email', '', 'm',   '9', '$password', 'bio'";
  $queryrun = mysql_query($query);  
} else {
echo 'Please fill out all of the form fields';
}

// Login Script

if (!empty($logemail) && !empty($logpassword)){
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";


$queryrun = mysql_query($query);

while ($row = mysql_fetch_assoc($queryrun)) {
    $logemail = $row['logemail'];

}
echo $logemail;
$numrows = mysql_num_rows($query);
if ($numrows > 0){
    echo 'User exists';
} else {
    echo 'User does not exist';
}

} else {

}

?>

<html>
<head>
<title></title>

</head>
<body>

<form action="index.php" method="POST">

Firstname: <input type="text" name="firstname" /><br />
Lastname: <input type="text" name="lastname" /><Br />
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" value="Submit" />

</form>

<br /><hr />

<br />
Login:<br />
<form action="index.php" method="POST">
Email:<input type="text" name="logemail" /><br />
Password: <input type="password" name="logpassword" /><br />
<input type="submit" value="Log in" /><br />
</form>

</body>
</html>

The connection to the database is fine because the register part code works, it's just the login code is returning nothing and saying that the user does note exist, when the user actually does exist

[Please, don't use `mysql_*` functions in new code](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [red box](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). **You are also wide open to [SQL injections](http://stackoverflow.com/q/60174)** — John Conde, Oct 22 '13 at 01:48
It is not good security practice to store your passwords in your database. Instead you should calculate a hash of the password and store the hash. — AllInOne, Oct 22 '13 at 01:49
are you meaning to use `$logemail` and `$logpassword` in your login query? — scrowler, Oct 22 '13 at 01:50
Do email addresses have to be unique? What happens if someone has an account and uses the same email address to create a second account? Will that account be created? If so what will happen when they try to login if they use the same password for both accounts and if they use different passwords for both accounts? — AllInOne, Oct 22 '13 at 02:02

AllInOne · Answer 1 · 2013-10-22T01:59:44.490

1

Your form field is $logemail while your mysql statement uses $email.

To get this working looks like you want:

$query = "SELECT * FROM users WHERE email = '$logemail' AND password = '$logpassword'";

But as John Conde mentions there are significant security issues.

edited Oct 22 '13 at 01:59

answered Oct 22 '13 at 01:52

AllInOne

1,450
2
14
32

score 1 · Answer 2 · answered Oct 22 '13 at 02:02

What version of PHP are you using? This extension is deprecated as of PHP 5.5.0, you really should be using mysqli or PDO.

also

if (!empty($logemail) && !empty($logpassword)){
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";

you are checking for $logemail and $logpassword but putting $email and $password in the query string... also use {} in your strings for php variables. it helps keep string concatenation from getting confusing and you can use associated arrays in the string

echo "This is my string and this is the number {$number}. this is the value in my array: {$arrayvar["something"]}.";

Why won't my SELECT * FROM work?

2 Answers2