-4

I've got a simple contact form which posts two variables to PHP, to which I then insert to a database like so.

<?php
    $username = $_POST["username"];
    $password = $_POST["password"];
    $db->query("INSERT INTO users (username,password) VALUES ('$username', '$password')");
?>

I've now created login.php, where I would like the user to be able to login using the information stored in the database. I'm not worried about security or anything, I'm just trying to ease myself into this. What would be the most simplest way to allow the user to login using their username and password?

Adam Murphy
  • 1
  • it's already the simplest way with username & password.. – lakshman May 01 '15 at 11:15
  • Yes, I have a form where the user can enter their username and password. I'm just unsure how to compare what the user enters to what is actually in the database. – Adam Murphy May 01 '15 at 11:17
  • Do yourself a favor and start off on the right foot. See ircmaxell's answer http://stackoverflow.com/a/29778421/ where he uses PDO with prepared statements and `password_hash()`. – Funk Forty Niner May 01 '15 at 11:30
  • [You need to prevent SQL Injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard May 01 '15 at 11:45

2 Answers2

0

Assuming you don't want any security. I would do something like this:

$db->query("SELECT * from `users` where username = :username AND password = :password");

Replace the username and password with the user input.

WARNING: Don't use this on production environment. It's SQL injection vulnerable.

And you execute the query, Check the query row count, if it's equals to 1, it means there is a user with that username and password. if it equals to 0 it means, it's not found. You can then display errors or whatever.

Something like this in pseudo-code: 

if(rowCount == 1) {
   // log the user in
}

// Invalid credentials. Print some errors.

If you want security, Use PDO or mysqli functions. because mysql_* functions are deprecated and no longer maintained. and consider hashing your passwords, by using password_hash API.

Akar
  • 5,075
  • 2
  • 25
  • 39
  • this will fail. variables being strings need to be quoted. – Funk Forty Niner May 01 '15 at 11:22
  • @Fred-ii- I just gave the OP an idea on how to query the database. I also added a warning about the SQL vulnerability. – Akar May 01 '15 at 11:26
  • sure, I'll agree but variables need to be quoted. By showing them what you have now, they will think that not doing that is ok and would be sending them the wrong message ;-) – Funk Forty Niner May 01 '15 at 11:28
0
 error_reporting(0);
  session_start();
  include_once '../example.php';

  /***************************** Step 2 ****************************/
  if(isset($_REQUEST['admsubmit']))
  {

      $result=executeQuery("select * from adminlogin where admname='".htmlspecialchars($_REQUEST['name'],ENT_QUOTES)."' and admpassword='".md5(htmlspecialchars($_REQUEST['password'],ENT_QUOTES))."'");

     // $result=mysqli_query("select * from adminlogin where admname='".htmlspecialchars($_REQUEST['name'])."' and admpassword='".md5(htmlspecialchars($_REQUEST['password']))."'");
      if(mysqli_num_rows($result)>0)
      {

          $r=mysqli_fetch_array($result);
          if(strcmp($r['admpassword'],md5(htmlspecialchars($_REQUEST['password'],ENT_QUOTES)))==0)
          {
              $_SESSION['admname']=htmlspecialchars_decode($r['admname'],ENT_QUOTES);

              header('Location: admwelcome.php');
          }else
      {
         echo "Check Your user name and Password.";

      }

      }
      else
      {
          echo "Check Your user name and Password.";

      }
      closedb();
  }

Go through the above code..its a simple example of check log in page post redirection by log in credentials form.

lakshman
  • 656
  • 4
  • 18
  • same thing here; OP isn't using `mysql_` functions. plus this `$_GLOBALS` is incorrect. and now a typo `mysqil` – Funk Forty Niner May 01 '15 at 11:23
  • please see the edit & the code is given only for example from an axisting page – lakshman May 01 '15 at 11:25
  • `mysqil` typo and `$_GLOBALS` is still incorrect. See the superglobals page http://php.net/manual/en/language.variables.superglobals.php and ` error_reporting(0);` means turn off. http://php.net/manual/en/function.error-reporting.php – Funk Forty Niner May 01 '15 at 11:26