PHP Variable with SQL Query is Blank

Question

I am creating a login for for my website and have hit a roadblock. Every time I run my PHP script to check if their password matches the one in the database for the email that they have entered, it returns that it hasn't. To check the issue, I made the page print the values being entered (username and password), and the real password value. The real password had done nothing but returned itself as blank. The following is the code I am using.

$loginEmail = $_POST['loginemail'];
$loginPassword = $_POST['loginpassword'];
$query = "SELECT password FROM user_information WHERE email = '$loginEmail'";
$realLoginPassword = mysql_query($query);

if($loginPassword == $realLoginPassword){
  echo 'Success in login with ' . $loginEmail . '! Password: ' . $realLoginPassword . '! You have entered: ' . $loginPassword . '!';
}else{
  echo 'Your email at ' . $loginEmail . ' or password is incorrect!';
  echo '<br>';
  echo "You've entered: " . $loginPassword . " and the real one is: " . $realLoginPassword . "!";
}

I have also tried:

$realLoginPassword = "SELECT password FROM user_information WHERE email = '$loginEmail'";

But it didn't work either and I had the same issue.

Am I using the wrong method, keying in my script wrong, or something else? Any feedback is appreciated!

Please, [don't use `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://us1.php.net/pdo) or [MySQLi](http://us1.php.net/mysqli). You will also want to [Prevent SQL Injection!](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Nov 18 '14 at 20:06
do you get proper results when you run the query directly in phpmyadmin? Also where is your MySQL connection defined? — Marshall Tigerus, Nov 18 '14 at 20:11
**DO NOT** create your own authentication system, especially not one like this that's so full of holes it's more of a web site hacking toolkit than a barrier to access. **DO** look at various [development frameworks](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) and find one that fits your needs and style. Most come with some kind of built-in [authentication system](http://laravel.com/docs/security) so you have no reason to write your own. — tadman, Nov 18 '14 at 20:12
Do yourself a favor and go to this link: http://daveismyname.com/login-and-registration-system-with-php-bp - and possibly your existing/future users. — Funk Forty Niner, Nov 18 '14 at 20:15
Using this, would I simply state `$realLoginPassword = $stmt` if I wanted to set `$realLoginPassword` to the found value? — saccre, Nov 18 '14 at 20:16
It works when I query it in, yes. And my connection is defined, for the login, just above the script I have included, I just didn't put it because it has the username and password. @MarshallTigerus — saccre, Nov 18 '14 at 20:19

DevDonkey · Accepted Answer · 2014-11-18T20:20:39.497

2

You've not extracted the result of the query. Try this

$loginEmail = $_POST['loginemail'];
$loginPassword = $_POST['loginpassword'];
$query = "SELECT password FROM user_information WHERE email = '$loginEmail'";
$result = mysql_query($query);  // alter this line
$checkPassword = mysql_fetch_array($result); // and this one

A better way to authenticate though would be to use a query that checks for both the email(or username) and the password as a match. If it returns a result then you know the user authenticated ok. Like this

$username = mysql_real_escape_string($_POST['email']); // this sanitizes the data
$password = mysql_real_escape_string($_POST['password']);
$query = "SELECT * FROM user_information WHERE email = '$email' AND password = '$password'";

Then extract and check for result. This is much more efficient and robust.

I've written this answer using mysql as you have used it. But as said in comments you MUST use at least mysqli with prepared statements, or PDO with prepared statements.

edited Nov 18 '14 at 20:20

answered Nov 18 '14 at 20:17

DevDonkey

4,835
2
27
41

Oops, so I did. Thanks. – DevDonkey Nov 18 '14 at 20:19
Cheers. Constructing good answers on an iPad is a paaaaaaaain. – DevDonkey Nov 18 '14 at 20:22
I can imagine. *Cheers* – Funk Forty Niner Nov 18 '14 at 20:23
How, with this, would I check if there was success in fetching the password and email? @MattHolbrook-Bull – saccre Nov 18 '14 at 20:35
The aim isn't to fetch them, it's to check if there's a record that exists which matches them both. Look up `mysqli_num_rows` – DevDonkey Nov 18 '14 at 20:38
So if I now key in `if(mysqli_num_rows($checkPassword))>0){echo 'True!';}` would it print true if the user has matched records? – saccre Nov 18 '14 at 20:43

score 0 · Answer 2 · answered Nov 18 '14 at 20:10

mysql_query() returns a statement HANDLE, not the value of the field(s) you requested in the query itself. You have to fetch a row of data, and get your value from that array/object:

$query = "SELECT password FROM user_information WHERE email = '$loginEmail'";
                 ^^^^^^^^
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
echo $row['password'];
           ^^^^^^^^

Note the highlighted bits. SELECT field maps to $row['field'].

However, you should STILL have gotten some output, e.g. "mysql statement handle" or something similar with your code, which indicates that the query failed and returned a boolean FALSE.

Try

$result = mysql_query($query) or die(mysql_error());
                             ^^^^^^^^^^^^^^^^^^^^^^

to see what blew up.

And note that you are vulnerable to sql injection attacks.

While technically helpful, the original code is so radioactively bad that fixing it is only making things worse. — tadman, Nov 18 '14 at 20:13

PHP Variable with SQL Query is Blank

2 Answers2