-3

I am attempting to check that myusername and mypassword are in the database and if they are print the results. I cannot get the results to be returned and displayed if they match what is in the database, can someone assist please?

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

//echo $myusername;
//echo $mypassword;

$stmt  = $db->prepare('SELECT * FROM ADMIN_LOGIN WHERE USERNAME = $myusername AND PASSWORD = $mypassword');
//var_dump($stmt->readOnly()); // -> true
halfer
  • 19,824
  • 17
  • 99
  • 186
user3657758
  • 37
  • 1
  • 8
  • 2
    You are vulnerable to [sql injection attacks](http://bobby-tables.com), which is especially bad since you're already using prepared statements. – Marc B May 22 '14 at 22:02
  • That is what i am trying to avoid (sql injection attacks), how would you advise i make this code sql injection proof ? – user3657758 May 22 '14 at 22:11
  • For this, I'd just go to php.net/pdo and click on `prepare` - there will be an example in there. The PHP manual is very good for beginners (if sometimes overly detailed) - just put in `php.net/thing` and it will search for you. – halfer May 22 '14 at 22:19
  • I'm assuming you are using PDO, so I've retagged the question. Please edit it if you are using a different engine. – halfer May 22 '14 at 22:25
  • This question appears to be off-topic because the answer is in the [documentation](http://au1.php.net/manual/en/pdo.prepare.php). – Marty May 22 '14 at 23:04
  • http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Marc B May 23 '14 at 14:11

1 Answers1

1

You're not using prepared statements correctly. Prepared statments work by sending the server first what the query will be, then sending the parameters. That way the server cant be exploited, as the query structure "phase" will have already have been completed.

$sql = "SELECT * FROM ADMIN_LOGIN WHERE USERNAME = ? AND PASSWORD = ? LIMIT 1"
$sth = $dbh->prepare($sql);
$sth->execute(array($_POST['username'], $_POST['password']));
$res = $sth->fetch();
haveacigaro
  • 2,509
  • 2
  • 13
  • 8