-1

I have this code:

if($submit)
{
    $first=$_POST['first'];
    $password=$_POST['password'];
    $db = mysql_connect("localhost", "root","");
    mysql_select_db("learndb",$db);
    $sql = "select * from admin where username = '" . $first . "' and password = '". $password . "'";
    $result = mysql_query($sql);


    if($result>0)
{
    echo "LOGGED IN!!";
}
else
{
    echo "ERROR!!!";
}

and my html form is:

<form method="post" action="input-copy.php">
First name:<input type="Text" name="first" placeholder="ENTER YOUR NAME"><br>
password:<input type="password" name="password" placeholder="ENTER PASSWORD"><br>
<input type="submit" name="submit" value="Enter information"></form>

but whatever I enter into firstname and password it displays LOGGED IN!

Sanzeeb Aryal
  • 4,358
  • 3
  • 20
  • 43
  • 2
    use mysql_num_rows == 1 to check and use mysqli or pdo – Sugumar Venkatesan Jan 13 '16 at 07:12
  • @SugumarVenkatesan Since your comment will probably solve the issue, why don't you submit it as an answer? – Peter Jan 13 '16 at 07:14
  • dont use greater than 0 to check if it's returns more than one row than it's a security issue – Sugumar Venkatesan Jan 13 '16 at 07:17
  • 2
    You should not use this in production. Instead **fix that gaping SQL Injection you've left in there**. That will land you in a world of issues if this is a production site. – Darren Jan 13 '16 at 07:18
  • @peter posting it as a answer will take some time that's why I posted it as comment so that I can solve his problem quickly – Sugumar Venkatesan Jan 13 '16 at 07:20
  • Stop using mysql_* functions - they are deprecated. Switch to mysqli_* functions which are future safe and will offer you prepared statements to easily avoid sql injection attacks. – maxhb Jan 13 '16 at 07:22
  • 2
    @Darren indeed I always say this _I assume you don't want some 12 y/o kid who found a malicious SQL query on Google to ruin your whole database. Because that is what you are facing if you don't use prepared statements when handling user input._ Because there is no reason not to use prepared statements. There is none. It is the same as you don't post all of your passwords and usernames on Facebook. – BRoebie Jan 13 '16 at 09:18
  • 3
    "security is not a big deal for me" - then you are probably better off not asking for a password at all. – Fabian Schmengler Jan 13 '16 at 09:49
  • 1
    You're using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php) and are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) against. You're using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and should [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of passwords. – Quentin Jan 13 '16 at 10:22
  • @Quentin just wondering what the error is and i got it. – Sanzeeb Aryal Jan 13 '16 at 11:56

3 Answers3

4

mysql_query

For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error.

Use mysql_num_rows()

Retrieves the number of rows from a result set.

$result = mysql_query($sql);
$row = mysql_num_rows($result);
if ($row > 0) {
    echo "LOGGED IN!!";
} else {
    echo "ERROR!!!";
}

Note

Mysql is depricated instead use mysqli or PDO

Don't store plain password into database use hashing technic

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/faq.passwords.php

To prevent from sql injection check How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Saty
  • 22,443
  • 7
  • 33
  • 51
2

Here your $result variable will store mysql_query return value, this will true if your mySQL query correct. Also this is the reason that your logic will logged in whatever the password or username is.

You need to check the result count using mysql_num_rows.

Try this:

$result = mysql_query($sql);
$num_rows = mysql_num_rows($result);//Check database table data exits...
if($num_rows == 1){
 //You stuff here
}

Warning

This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used.

AddWeb Solution Pvt Ltd
  • 21,025
  • 5
  • 26
  • 57
-1

Here is a simple login code that you can try

//login query
$sql="SELECT password FROM login WHERE user_name='$username'";
$result=mysqli_query($conn ,$sql);

// Mysql_num_row is counting table row
$count = mysqli_num_rows($result);

if($count == 1)
{
    // Associative array
    $row=mysqli_fetch_assoc($result);

    if ($password == $row["password"]) {
        $_SESSION['user'] = $username;
        echo "Loggedin";
        mysqli_free_result($result);
    }
    else
    {
        echo "Not a valid user";
    }
}
else
{
    $_SESSION["error_log"] = "No such user exist!";
    header("location:../index.php");
    die($_SESSION["error_log"]);
}
Chetan Naik
  • 151
  • 13