0

I have a login form that works like if user email password and 2 pic is correct then echo logged in but problem is my email is match password is match but how can i match images with single [select html tag]. here is my html form....

<select name="image" multiple="multiple">
  <?php 
  for($i=0;$i<5;$i++)
   echo"<option  data-img-src=\"$pic[$i]\" value=\"$pic[$i]\" ></option>";
    ?>
  </select>

And mysql query is here .......

$mysql=mysql_query("SELECT * FROM `table` WHERE `email`='$email' AND `password`='$pass' AND `image1`='$image' AND `image2`='$image'") or die(mysql_error());

if(mysql_num_rows($mysql) ==1){
    $_SESSION['user']= $email;
    header("location: home.php");               
    } else {
    echo "error";
    session_destroy();
}

If both images are match then he is successfully logged in otherwise not

Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
Stack Overflow
  • 63
  • 5
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jan 07 '16 at 15:40
  • 1
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 07 '16 at 15:41
  • 1
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 07 '16 at 15:41
  • how can i match image ? – Stack Overflow Jan 07 '16 at 15:44
  • $mysql=mysql_query("SELECT * FROM `table` WHERE `email`='$email' AND `password`='$pass' AND `image1`='$image' AND `image2`='$image'") or die(mysql_error()); this is very bad for `SQL Injection` – rdn87 Jan 07 '16 at 15:45
  • 1
    I saw one of these logins the other day, very sexy. But I would bet they are not comparing images, they are comparing an id of some sort because they know which images match the question and all that is actually passed back to the server script is the id if each image you clicked – RiggsFolly Jan 07 '16 at 15:46
  • @rnd87 _this is very bad for SQL Injection_ Its a bit of a challenge for MYSQL as well. I dont know of a way of using an image in a select query. Its also already been mentioned much better by JayBlanchard – RiggsFolly Jan 07 '16 at 15:48
  • 1
    This answer may support my earlier supposition http://stackoverflow.com/questions/26962940/how-to-compare-an-input-image-from-user-with-a-stored-image-on-the-database-in-c with a bit of a twist – RiggsFolly Jan 07 '16 at 15:49
  • i know dear rdn87 i will fix my security later but i need first solution how can i match my two column with single html select post data – Stack Overflow Jan 07 '16 at 15:49

2 Answers2

1

The idea would be that each 'image' is tied to an ID in your code and/or database. When a person selects an image they're actually selecting the ID which that image represents.

Users, setting up their profile, go through a similar process, selecting an image (which saves the image's ID in their user row).

When it comes to logging in, it's just a simple case of comparing the ID of the image selected to the ID stored in the user's row.

This is the BASIC premise, and doesn't cover the security aspect of this feature.

I also see that your HTML supports the user being able to select multiple images (though you only use/reference up to two in your SQL query). The implementation for that doesn't change much compared to selecting a single image, so this answer still applies.

Sean
  • 2,278
  • 1
  • 24
  • 45
1

(Please excuse my terminology) As Sean's answer suggests, every image should be tied with an id.

During registration, before inserting the values into database, you can generate a random number and rename the image to that generated number and add that number into the database. File structure would be something like this

users/images/random_id.jpeg

How i would go about doing the login process is,

On change of input, i would perform an ajax request to fetch the unique id associated with the user's email or username, and image associated with the that id and four other random images.

Then the rest is simple, the user would select an image. We'd of course be matching its unique identifier to the identifier that exists in the database.

If its a match, log in.

This is just the logical approach.

Unless this is a learning exercise, switch to prepared statements.

Haider Ali
  • 918
  • 2
  • 9
  • 26