PHP Not running on submit

Question

I am making a login system, and I have used similar code to this on other sites, but it just doesn't seem to be submitting for me? No errors, the page just stays exactly the same. Anyone got any ideas

<?php

    if(isset($_POST['submit'])){

    $user = $_POST["user"];
    $raw = $_POST["password"]; 
    $hash = md5($raw);


    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } else {
        $ip = $_SERVER['REMOTE_ADDR'];
}


        $con=mysqli_connect("localhost","bans","(My Password Here)","bans");
if (mysqli_connect_errno()) {
  echo "Error ";

}

    $check = mysqli_query("$con, SELECT hash FROM panel WHERE user = '$user'");

    if ($hash == $check) {
      $insert = mysqli_query("$con, INSERT INTO panel (online, ip)
      VALUES ('1', '$ip')");

  } else {

    echo '<div class="alert alert-danger">You are not staff/have entered incorrect information!</div>';

  }
}

?>

One thing is that you have accidentally put your `$con` inside of the SQL-queries, they should be the first parameter of the query. Or be called in this manner `$con->query("SELECT hash FROM panel WHERE user = '$user'");`, and you should look up parameterizing your queries, to prevent SQL-injections. — NoLifeKing, May 29 '14 at 11:50
Not to answer your question, but what if someone entered something like `1' OR '1'='1`. SQL Injection - http://xkcd.com/327/ — Nick R, May 29 '14 at 11:55
I also need to look into SQL injections. As you can more than likely tell, I am pretty new to PHP — user3633169, May 29 '14 at 11:55

score 0 · Answer 1 · answered May 29 '14 at 11:52

0

if(isset($_POST['submit'])) Maybe it was a button that you dont have now. Try if(isset($_POST["user"])) :)

answered May 29 '14 at 11:52

miguel-svq

2,136
9
11

score -1 · Answer 2 · edited May 23 '17 at 12:20

-1

Your

$check = mysqli_query("$con, SELECT hash FROM panel WHERE user = '$user'");

should be more like

$check = mysqli_query($con, "SELECT hash FROM panel WHERE user = '$user'");

BTW you're wide open into SQL injection

edited May 23 '17 at 12:20

Community

1
1

answered May 29 '14 at 11:49

Bartek

1,349
7
13

$con if inserted in quotes will become a string. Use it without quotes. – Vikas Arora May 29 '14 at 11:52

PHP Not running on submit

2 Answers2