0

Here is my code:

  $usersql = "Select fab2_type from feesys_admin where adminname ='$_POST[username]' and adminemail = '$_POST[password]'";
        $userresult = mysql_query($usersql) or die ("<h3>Error in query: $query. ".mysql_error()."</h3>");
        $num_rows = mysql_num_rows($userresult);
        if($num_rows > 0) {
            if($userresult['fab2_type']=='Partner'){
        }

When I run the SQL statement on the database through PHP Admin, it works fine. But it returns empty within the results here.

I checked to make sure the database connects fine. I checked all spelling Number of rows returns correctly. No syntax errors. When I echo the username and password and the sql statement, it's all correct.

This code used to work so I have no idea what's going wrong here.

EK Blackwell
  • 1
  • 1
  • Are your POST elements named? Add error reporting to the top of your file(s) right after your opening ` – Funk Forty Niner Sep 26 '14 at 15:54
  • 2
    Please, [don't use `mysql_*` functions in new code](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). *They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation)*. See the [red box](http://uk.php.net/manual/en/function.mysql-connect.php)? Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://us1.php.net/pdo) or [MySQLi](http://us1.php.net/mysqli). [This article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide which. – Jay Blanchard Sep 26 '14 at 15:56
  • Please stop use the `mysql_*` API. Use `PDO` or `Mysqli` instead. And either escape them post parameters or use `prepared statements`. Your current code is very open for `SQL injections`. – Jite Sep 26 '14 at 15:56
  • Um... I think the OP gets the message. Edit: Ah, one comment deleted. – Funk Forty Niner Sep 26 '14 at 15:57
  • I thought you were chasing espresso @Fred-ii- ;) – Jay Blanchard Sep 26 '14 at 15:59
  • Are you getting any errors @EKBlackwell? – Jay Blanchard Sep 26 '14 at 16:00
  • @JayBlanchard That isn't the only *sweet* thing I'm chasin' ;) – Funk Forty Niner Sep 26 '14 at 16:01
  • @JayBlanchard *Still smackin'?* – Funk Forty Niner Sep 26 '14 at 16:09
  • 1
    Nah, I'm good now @Fred-ii- – Jay Blanchard Sep 26 '14 at 16:12
  • No, Jay, I'm not getting any errors. Yes, Fred, my POST elements are named. I turned on error reporting and don't get any errors. The brace is only missing in the code snippet; the full code has the ending brace. If I change the SQL statements like you said to do, it still doesn't work. Neither does the password hash method. – EK Blackwell Sep 26 '14 at 17:16

1 Answers1

0

It is because you have not quoted your $_POST array variables properly. You have $_POST[username] and $_POST[password]. It should be $_POST['username'] and $_POST['password']. This causes PHP to interpret username and password as constants.

Here is a different shot at your syntax - 

$usersql = "SELECT `fab2_type` FROM `feesys_admin` WHERE `adminname` ='".$_POST['username']."' AND `adminemail` = '".$_POST['password']."' ";

You could further shorten this by predefining (as Fred says below).

$user = $_POST['username']; // please sanitize this
$pass = $_POST['password']; // please sanitize this
$usersql = "SELECT `fab2_type` FROM `feesys_admin` WHERE `adminname` ='".$user."' AND `adminemail` = '".$pass."' ";

You're very at risk for SQL injection if you don't clean up user input.

Password related

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

I recommed you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.

Plus, in regards to SQL injection, use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119