-1

i know this is simple..but i am unable to find the error..i have a login page where i take the input from user i.e. the username and password.then another page i am checking whether the values are present in the database or not.but neither it is giving me an error nor its working..moreover its not entering the first if condition..if ($result->num_rows > 0) 

<body style="background-color:lightgrey;">
    <?php  
    include('custdb.php');
    session_start();
    $uname=$_POST['username'];
    $pass=$_POST['password'];
    $sql = "SELECT * FROM `info` WHERE `username`='".$uname."';";
    //echo $sql;

    $result = $conn->query($sql);
    echo"1";
    echo $result;

    if ($result->num_rows > 0) 
    {
        echo"1";
        while($row = $result->fetch_assoc()) 
        {
            if($uname==$row["username"])
            {
                header("location:custprofile.php");
            }
            else
            {
                header("Location:custindex.php");
            }
        }   
    }
    else
    {
        echo "invalid input";
        echo '<h4 align="left"><a href="custindex.php">LOGIN</a> </h4>';    
    }
    ?>
Nana Partykar
  • 10,556
  • 10
  • 48
  • 77
abhi
  • 27
  • 5
  • Looks like you've echo the sql query already. Did you try the query directly in the database? On a side not you really need to transfer to MySQLi or PDO for sql injection prevention – Matt Apr 29 '16 at 09:34
  • Remove the all `echo "1"` and `echo $result;` code. If you echo something before you run a `header()` the `header()` will not work. Look at you error log it should be telling you the header failed **headers already sent** – RiggsFolly Apr 29 '16 at 09:38
  • You are not sanitizing data sent to the script in `$_POST` thats very dangerous see [See SQL Injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/60496#60496) – RiggsFolly Apr 29 '16 at 09:43
  • Password should be HASHED when stored on your database See [password_hash()](http://php.net/manual/en/function.password-hash.php) – RiggsFolly Apr 29 '16 at 09:45

1 Answers1

-1

Try to change this portion of your code,

$uname=$_POST['username'];
$pass=$_POST['password']; 
$sql = "SELECT * FROM `info` WHERE username='".$uname."' AND password='".$pass."'";
Sarvagna Mehta
  • 334
  • 3
  • 16
  • What possible benefit would this give the OP – RiggsFolly Apr 29 '16 at 09:49
  • @Riggs Folly, Check out the question again. He clearly mention that heis code is not working and there is an error of mysql query. – Sarvagna Mehta Apr 29 '16 at 09:52
  • No, he says he is getting no errors, he is seeing nothing because he has echo'd something to the output buffer and therefore the `header()` commands are failing to do the redirect – RiggsFolly Apr 29 '16 at 10:15
  • Adding another possible point of failure i.e. the addition of a passeord check in the query is hardly going to solve a query error anyway – RiggsFolly Apr 29 '16 at 10:18