0

I've got two php values called $email and $pass.

email - Name of row in MySQL database password - Name of row in MYSQL database

I'm running a sql query to select from table member where email = $email and password =$pass.

I'm then running mysqli_query to see if a row exists, I'm not getting any results. Surely the echo would echo out the ID of where the info matches. 

//Get the connection info. 
global $connect;

$sql = "SELECT FROM members WHERE email='$email' AND password='pass'";

//Fetch the row and store the ID of this row.
$row = mysqli_query($connect, $sql);
$id = $row['userID'];

echo $id;
Dharman
  • 30,962
  • 25
  • 85
  • 135
Ryan
  • 271
  • 2
  • 3
  • 7
  • 2
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 27 '16 at 14:47
  • 1
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 27 '16 at 14:47
  • Your query isn't selecting anything. You have `SELECT FROM`. You need to select some columns eg `SELECT * FROM` – DiddleDot Apr 27 '16 at 14:57
  • And your not inserting the variable `$pass` in your query, your checking if password is equal to the string `'pass'`. But as both Jay and Bobby Tables says.. use prepared statements! – M. Eriksson Apr 27 '16 at 15:06
  • Thank you for all of your tips i appreciate it, just trying to understand the basics of php at the moment. Will be adding security – Ryan Apr 27 '16 at 15:16

1 Answers1

2

Besides the fact that this code is massively exposed to SQL injection.. you are querying the data but not fetching the results.

add the fetch command:

$data = mysqli_query($connect, $sql);
$row = mysqli_fetch_assoc($data);
$id = $row['userID'];
Matt
  • 1,749
  • 2
  • 12
  • 26