1

please help me to display message if only entered password is wrong, when entered username is wrong it shows "wrong username",i want to do the same for password when it is wrong, it has to display "wrong password". here is

my code : 

  if ( $pass===$dbpass && $id===$dbid ) {

      $show=mysql_query("SELECT `name` FROM `attestation` WHERE id='$id'");
      while ( $row=mysql_fetch_array($show)) {
        echo '<center><span style="font-size:50px;font-family:  HelveticaNeueLTW20;padding-top:50px;line-height:0.5em;color:red;text-shadow: 2px   2px 4px #000000;">'.$row['name'].'</span></center>';
        echo '<center><span style="font-size:20px;font-family:   HelveticaNeueLTW20;color:white;line-height:2.5em;">'.'- المعهد يتمنى لكم مسيرة   موفقة -'.'</span></center>';
    }

    $res=mysql_query("SELECT `images` FROM `attestation` WHERE id='$id'");
    echo "<table>";
    while ($row=mysql_fetch_array($res)) {
        echo "<tr>";
        echo "<td>";?><img src="<?php echo $row ["images"]; ?>" <?php "  </td>";
          echo "</tr>";
        }
        $_SESSION['id']=$id;
     }
      else
         echo ('<span style="font-size:40px;color:red;font-family:f45;text-  shadow: 2px 2px 4px white;">' . '<center dir="rtl" lang="ar">عذراً<br> لقد أَدخلت رقم هويتك خاطئاً...<br>المرجو المحاولة مجددا</center>' . '</span>');
      }

      if ( $pass!=$dbpass) {
    echo "grzegrzgzrg";
      }
     else
      die('<span style="color:red;font-size:40px;font-family:f45;text-   shadow: 2px 2px 4px white;">' . '<center dir="rtl" lang="ar">عذراً<br> المعلومات المدرجة ليست مسجلة في قاعدة بيانات المعهد!!</center>' . '</span>');
      }
Mykola
  • 3,343
  • 6
  • 23
  • 39
Zakaria Lakiri
  • 19
  • 2
  • 10
    Don't do this. If the login fails, just tell the user that the login has failed. Don't give an attacker more information than they already have. – David Jan 12 '16 at 14:14
  • 2
    You also should think about updating your driver and using parameterized queries. – chris85 Jan 12 '16 at 14:16
  • 3
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jan 12 '16 at 14:19
  • 5
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 12 '16 at 14:19
  • 2
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 12 '16 at 14:20
  • @JayBlanchard: You have that links for mysql, pdo and mysqli memorized by now? Hahaha :P – Chris G Jan 12 '16 at 14:22
  • 1
    I do @ChrisG ¯\\_(ツ)_/¯ – Jay Blanchard Jan 12 '16 at 14:25

0 Answers0