0

i have this code. and i think there is nothing wrong. but it doesn't work. just display white screen on mozilla. may be, someone knew where is my mistake ?? please tell me.. 

 <?php 
session_start();
include 'koneksi2.php';
$uname=$_POST['Name'];
$pass=$_POST['Password'];
$op=$_GET['op'];
//$pas=md5($pass);

if($op=='in'){
 $perintah = "select * from user WHERE username = '$uname' AND password = '$pass'";
 $hasil = mysql_query($perintah);
 if(mysql_num_rows($hasil)==1);
 {
 $c=mysql_fetch_array($hasil);
 $_SESSION['username']=$c['username'];
 $_SESSION['level'] = $c['level'];

  if($c['level']=="pemilik"){
  header("location:home_pemilik.php");
  }

  else if ($c['level']=="pelayan"){
  header("location:home.php");
  } 
 else{
    echo("password salah");
     }}
}else if ($op=="out")
    {
    unset($_SESSION['username']);
    unset($_SESSION['level']);
    header("location:login.php");
    } 
 ?>
Qhosie Kheyrenni
  • 1
  • 2
  • [`mysql_query()`](http://php.net/mysql-query) **does not exist** any more. Please use more up-to-date methods, such as PDO. – Niet the Dark Absol Jul 09 '17 at 11:17
  • Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Jul 10 '17 at 14:35
  • MD5 is considered broken for security purposes and is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. If you're using a version of PHP prior to 5.5, you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). – Alex Howansky Jul 10 '17 at 14:35
  • i am a newbie. so, i do not understand about PDO and mysqli. i've try read it. but it litte bit harder :) @AlexHowansky but i will read SQL injection. thank you.. – Qhosie Kheyrenni Jul 11 '17 at 12:59

0 Answers0