PHP Select dosen´t work

Question

I cant load informations from my mysql database. I want to load data from my database and compare it with a php variable, but it does not work. Whenever I load the page, I see a white page.

Can anybody help me?

  <?php
define('DB_SERVER', '');
define('DB_USERNAME', '');
define('DB_PASSWORD', '');
define('DB_DATABASE', '');

$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);

if($_SERVER["REQUEST_METHOD"] == "POST") {

    $myusername = mysqli_real_escape_string($db,$_POST['login']);
    $mypassword = mysqli_real_escape_string($db,hash('ripemd160', $_POST['pass']));
    $sql = "SELECT username, password, active FROM User WHERE username = '$myusername' and password = '$mypassword'";
    $result = mysqli_query($db, $sql);
    while($row = mysql_fetch_assoc($result)) 
    {
        $username = $row['username'];
        $password = $row['password'];
        $active = $row['active'];

        if($username == $myusername){
            if($active == 1)
            {
                session_start();
                $_SESSION["login"] = $myusername;
                echo $_SESSION["login"];

                header("Location: http://www.example.de"); 
            }
            else
            {
            echo "please verify your email";    
            }
        }
    }   
}
else 
{
    header("Location: http://www.fapsite.de/Main/Home/Views/Login/WrongPassword.php");
}

?>

[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Oct 06 '16 at 17:45
Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Oct 06 '16 at 17:45

score 2 · Answer 1 · answered Oct 06 '16 at 17:38

2

When you attempt to get fetched username, you access $row['Username'], while the key should be username, note the case of the first letter. This is why evaluation $username == $myusername is not evaluated to true.

Same appliles to Password vs password and Active vs active.

answered Oct 06 '16 at 17:38

Georgy Ivanov

1,573
1
17
24

I try it but nothing happend – lucas bardoux Oct 06 '16 at 17:40
1

@Lucas.Bardoux you need to do `$row=mysqli_fetch_array($result,MYSQLI_ASSOC);` – Alive to die - Anant Oct 06 '16 at 17:41
It work thank you :) – lucas bardoux Oct 06 '16 at 17:48
@Lucas.Bardoux check code of te link for more details:- https://eval.in/656555 . And still your code is vulnerable to `SQL Injection` so read about `prepared statements`, not hard to understand and very secure. – Alive to die - Anant Oct 06 '16 at 18:01

score 0 · Answer 2 · edited Oct 08 '16 at 05:13

0

This, at least, is a fatal error in your code:

You need to use mysqli function when fetch while not mysql_fetch_assoc

edited Oct 08 '16 at 05:13

Rick James

135,179
13
127
222

answered Oct 06 '16 at 17:37

harrrrrrry

13,643
2
23
28

PHP Select dosen´t work

2 Answers2