-1

so i'm having an issue with an "admin login" that i've been trying to make work. If you guys can check out my code to see what's going on, it would be very helpful. All of the names match what's in mysql. The error keeps coming up saying I don't have the correct username/password... but I do!

<?php

if (isset($_POST['login'])){    

$con = mysql_connect("localhost", "dxhxxx", "tcqxxx");
if (!$con){
die("Cannot connect:" . mysql_error()); 
}

mysql_select_db("dxh6110",$con);

$userName = $_POST['username'];
$passWord = $_POST['password'];

$sql = "select * from Churchadmin where username='$userName' AND      password='$passWord'";
mysql_query($sql,$con);

if(mysqli_num_rows($run)>0){

    $_SESSION['username']=$userName;
    $_SESSION['password']=$passWord;
    //if all information is good you will go to the next page
    echo "<script>window.open('view_prayers.php','_self')</script>";

    }
    //if password or username is wrong this will give them an alert
    else{
    echo "<script>alert('Admin details are incorrect!')</script>";
    }

}

mysql_close($con);

?>
mim.
  • 669
  • 9
  • 18
DLH
  • 67
  • 1
  • 10

1 Answers1

1

Firstly, you're mixing MySQL libraries with mysqli_num_rows use mysql_num_rows.

  • Those different MySQL functions do not intermix with each other.

You also need to start the session if you haven't already.

Make sure also that your form elements contain name attributes.

I.e.: <input type="text" name="username"> etc.

Then this line:

mysql_query($sql,$con);

if(mysqli_num_rows($run)>0){

that should read as 

$run = mysql_query($sql,$con);

if(mysql_num_rows($run)>0){

  • There is no $run variable defined for it.

  • Error reporting would have thrown you an Undefined variable run... notice.

You may also change 

$run = mysql_query($sql,$con);

to

$run = mysql_query($sql,$con) or die(mysql_error($con));
  • In order to see if your query failed.

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Plus, in regards to SQL injection, use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Okay, so I will make those changes for sql/sqli. Name attributes are correct, I was just about to edit my post to input my form. Oh, and totally forgot about starting the session. – DLH Apr 28 '15 at 15:10
  • @DLH I've made a few edits. You may want to reload my answer. – Funk Forty Niner Apr 28 '15 at 15:11
  • @DLH You're welcome. There are examples in the links I've given you and the web has many out there ;-) so, problem solved? Edit: you deleted your comment. – Funk Forty Niner Apr 28 '15 at 15:12
  • i've never quite understood SQL injection and what it does, or even how it looks. But I'm sure I can do some research and look it up. Do I need to change my sqli's to sql? like: if(mysqli_num_rows($run)>0) to if(mysql_num_rows($run)>0)? – DLH Apr 28 '15 at 15:15
  • @DLH as outlined in my answer, yes `if(mysql_num_rows($run)>0)` and not `if(mysqli_num_rows($run)>0)` - `mysqli_` and `mysql_` functions do not mix together. Go over my answer again and reload the page. – Funk Forty Niner Apr 28 '15 at 15:17
  • @DLH silly me, I made a typo also lol I fixed it for the `mysql_num_rows`. Sorry about that. – Funk Forty Niner Apr 28 '15 at 15:20