0

I got this code from a tutorial however my University server has PHP 5.3 and on my own home WebServer I am running PHP5.7 and I believe that is what is causing an error as I am getting "This page isn’t working"

This is a very basic login script as that is all I need.

I am running IIS 10.0, PHP 5.7 and latest MySql Server / Windows server 2016 Stan

the code I am trying to use on my server is

<?php

//get information from index.php
$username = $_POST['username'];
$password = $_POST['password'];

//Prevent Sql injection
$username = stripcslashes($username);
$password = stripcslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

//connect to the MySql Server and select a Database
mysql_connect("localhost", "root", "password");
mysql_select_db("S0190282");
//Query the database for the user
$sql = mysql_query("SELECT * FROM login WHERE username = '$username' AND password = '$password'")
    or die ("Failed to query database".mysql_error());

$row = mysql_fetch_array($sql);
if ($row['username'] == $username && $row['password'] == $password)
{
    //if Username and password are both correct /Do this code here\
    header('Location: secure/index.php');
}
else
{
    //Do this code here
    echo('Your Username or Password is incorrect');
}
?>

Anyone know of anyway to fix this thanks. I'd rather not go back to 5.3 as i'v always been on the latest version of server software.

Sheriden Ben Venters
  • 1
  • 2
  • There's no PHP 5.7... did you mean PHP 7.0? – Machavity May 17 '17 at 19:34
  • Best Practice. Your development environment should match the master environment. – Adrianopolis May 17 '17 at 19:34
  • 2
    mysql_* functions are deprecated as of PHP 5.5.0, and removed as of PHP 7.0.0. Switch your code to use [PDO](https://secure.php.net/manual/en/pdo.prepared-statements.php) or [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. – aynber May 17 '17 at 19:34
  • "I got this code from a tutorial however my University..." This tutorial is wickedly out of date and unless you need to follow it for a particular assignment you should steer clear of it. The `mysql_query` interface was removed from PHP in version 7.0. As aynber says, you must use one of the supported interfaces like PDO or `mysqli`. – tadman May 17 '17 at 19:40
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.4/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text**. – tadman May 17 '17 at 19:40
  • **WARNING**: This has some severe [SQL injection bugs](http://bobby-tables.com/) because user data is present inside the query. Whenever possible use **prepared statements**. These are quite straightforward to do in [`mysqli`](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [PDO](http://php.net/manual/en/pdo.prepared-statements.php) where any user-supplied data is specified with a `?` or `:name` indicator that’s later populated using `bind_param` or `execute` depending on which one you’re using. **NEVER** put `$_POST`, `$_GET` or any user data directly in your query. – tadman May 17 '17 at 19:40
  • Thank you all for the information I am at the moment learning this :) and will be noting all these down, and sorry if this is a dupe question I did look :) thank you again. – Sheriden Ben Venters May 18 '17 at 15:48

0 Answers0