0

Okay I have been using mysql for use with my website however it has not been going well with some of the syntax. I've read up on it but I fell like I'm still doing it wrong... In the picture below, I have defined database variables and then tried to log into my database containing the columns of "ID" "Username" and "Password". I then define the username and password input, from my form, in the php and asked the database to compare... am I missing something? I feel like it's not comparing the data from the form with the data in the database. It works even if I type the password wrong..

//Name of File: LoginCheck.php <--Called with the Login.php (which has a form on it) 
//posts information to LoginCheck.php
<?php
define('DB_HOST', 'localhost');
define('DB_USER', 'blah');
define('DB_PASS', 'blah');
define('DB_NAME', 'Profiles');
$con = mysql_connect(DB_HOST, DB_USER, DB_PASS);
if(!$con){
    die('Could not connect. ' . '<br/>' . 'Error: ' . mysql_error());
}
$db_selected = mysql_select_db(DB_NAME, $con);
if(!$db_selected){
    die('Could not select database: ' . DB_NAME . '<br/>' . 'Error: ' . mysql_error());
}
//defines login variables from the form.
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$login =  mysql_query("SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'", $con);
if(!$login){
    echo 'Error: ' . mysql_error();
    echo "Didn't log in. Not matching database intel.";
}else{
echo "Logged in matching database intel.";
}
mysql_close($con);
?>
TurnedTurquoise
  • 37
  • 8
  • there are, sadly, a few well kept secrets about using a database. i suspect very few of us use 'mysqli' and 'pdo', in the 'raw', unless we have to. i currently use 'redbeanphp'. But i have used various other 'database abstraction layers' over the years. Just for an easier experience, but still close to the database engine, see 'adodb'. been around a long while. – Ryan Vincent Apr 17 '14 at 18:27

2 Answers2

3

mysql_query() just returns a resource. You can then use that resource to get that data or more information about the query.

You can use mysql_num_rows() to see if your query was successful:

if(!mysql_num_rows($login)){

FYI, you should not be storing passwords in plain text. That is a huge security no-no.

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Community
  • 1
  • 1
John Conde
  • 217,595
  • 99
  • 455
  • 496
  • @TurnedTurquoise, google is your friend - learn to use the later stuff for 'informational and learning purposes'. try: 'php not password as plain text'. Also: 'php pdo tutorial'. – Ryan Vincent Apr 11 '14 at 02:21
  • @RyanVincent Yes, I've learned all of my coding from the internet... I'm not even in college yet. I just figured I'd get better answers from other users' input. I believe in collaboration rather than searching endlessly for articles or examples of others and then trying to implement my work into theirs. Learning comes better from changing my work and letting others help me understand, for me that is. I prefer user input on my work which is why I'm at stackoverflow instead of across the internet. (: – TurnedTurquoise Apr 11 '14 at 02:58
  • @TurnedTurquoise, then why, given your reply about better answers, are you using 'mysql_*' rather than later technologies? Not sure that your approach is leading to better quality for you. Glad you are enjoying it though. Having fun is really important. – Ryan Vincent Apr 11 '14 at 03:15
  • @RyanVincent I used it because at the time, I was not aware of PDO and mysql is easier atm then PDO – TurnedTurquoise Apr 17 '14 at 17:00
2

It should be:

$login =  mysql_query("SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'", $con);
if(!$login){
    echo 'Error: ' . mysql_error();
} elseif (mysql_num_rows($login) == 0) {
    echo "Didn't log in. Not matching database intel.";
}else{
    echo "Logged in matching database intel.";
}

Not finding a match is not the same as an error.

Barmar
  • 741,623
  • 53
  • 500
  • 612