My php code is not working fine. Doesn't check if data matches

Question

I have my pin.php as:

<?php //connection $db_host="localhost"; $db_username="root";
$db_password="";


$connection =
mysql_connect("$db_host","$db_username","$db_password");

if (!$connection){ die("database connection failed: ".
mysql_error()); }

session_start([
    'cookie_lifetime' => 120, ]);   //Start a new session (2 minutes)

?> <html> <head> <title>Check Result</title> </head> <body> Check
Result<br /><br /> <?php $dbname = "db";
    $db_sel=mysql_select_db($dbname,$connection);
    if(!$db_sel) {
        echo "<h1>Unable to Connect to the Database</h1><hr />";
        exit();
    }

// Check submit button click 


if(isset($_REQUEST['submit']))  { if (!empty($_POST['uname']) &&
!empty($_POST['pass'])) {    $serial =
stripslashes(trim($_POST['serial']));   $pin =
stripslashes(trim($_POST['pin']));

   $sign = mysql_query("SELECT * FROM pin WHERE serial='$serial' AND
pin='$pin'");
       $no=mysql_num_rows($sign);  //if username and password matches    if($no!=0)
    { 

        $_SESSION['serial']=$serial;        $_SESSION['pin']= $pin;

        $logintimes=mktime();

        $ipaddress=$_SERVER['REMOTE_ADDR'];

            //Redirects the user to the password protected page
    header("Location: result.php");
         exit();

        }   else{ // if invalid serial/pin  echo "Invalid";

 } }  else{ // if empty on submit    echo "empty";//empty”;  }  } ?>
<form action="print.php" method="post"> Serial Number: <input
type="text" name="serial" value="" class="style3" size="18"/><br />
PIN: <input type="hide" name="pin"  class="style3" size="18"/><br />
<input type="submit" name="submit" value="Login" class="button"  />
</form>         </body> </html>

and my result.php as:

<?php
           session_start([    'cookie_lifetime' => 120, ]); if(isset($_SESSION['serial']) && ($_SESSION['pin'])) {   ?>
    <h3>Welcome</h3> <div> This is your    result...<br /> <?php
        $logintimes=mktime();
        $ipaddress=$_SERVER['REMOTE_ADDR'];

        echo $logintimes;   echo $ipaddress; ?> </div> <?php    session_destroy(); } else { //Redirects the user to the login page
    if    he is not logged in header("Location: index.php"); } ?>

On submit, it's still accessing result.php without checking if serial=$serial AND pin=$pin

FYI, [you shouldn't use `mysql_*` functions in new code](http://stackoverflow.com/questions/12859942/). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [red box](http://php.net/manual/en/function.mysql-connect.php)? Learn about [*prepared statements*](https://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide which one is best for you. — John Conde, Aug 16 '17 at 15:53
Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. — RiggsFolly, Aug 16 '17 at 16:04
Why is this `if($no!=0)` commented out? It seems to be crucial to the function logic. Just a paste error? — yacc, Aug 16 '17 at 16:27
We should start a bitcoin collection and spend @Wisdom a good training camp in Sibiria to get the least principles of programming style taught. What do you think? :p — yacc, Aug 16 '17 at 16:30

score 0 · Answer 1 · answered Aug 16 '17 at 17:03

Guys I looked into this a little. tried to clean it up so its more readable, and I would suggest at least templating out the page and use replace('tag',function()) method to enter data into the template.

<?php //connection $db_host="localhost"; $db_username="root";
$db_password="";

$connection = mysql_connect("$db_host","$db_username","$db_password");

if (!$connection){ 
    die("database connection failed: ".mysql_error()); 
}

session_start([
    'cookie_lifetime' => 120, ]);   //Start a new session (2 minutes)
    ?> <html> <head> <title>Check Result</title> </head> <body> Check Result<br /><br /> <?php
    $dbname = "db";
    $db_sel=mysql_select_db($dbname,$connection);
    if(!$db_sel) {
        echo "<h1>Unable to Connect to the Database</h1><hr />";
        exit();
    }

    // Check submit button click 

    if( isset($_REQUEST['submit']))  { 
        if (!empty($_POST['uname']) && !empty($_POST['pass'])) {    
            $serial = stripslashes(trim($_POST['serial']));   
            $pin    = stripslashes(trim($_POST['pin']));
            $sign   = mysql_query("SELECT * FROM pin WHERE serial='$serial' AND pin='$pin'");
            while ($row = mysql_fetch_array($sign, MYSQL_NUM)) { 
                $_SESSION['serial'] = $serial;        
                $_SESSION['pin']    = $pin;
                $logintimes         = mktime();
                $ipaddress          = $_SERVER['REMOTE_ADDR'];
                //Redirects the user to the password protected page
                header("Location: result.php");
                exit();
            } // if success above will exit, else get to the below error note.
                echo "Invalid";
            } 
        } else { // if empty on submit    
            echo "Please enter you name or password FooL";//empty”;  
        }  
    } 
    ?><form action="print.php" method="post"> Serial Number: <input type="text" name="serial"  value="" class="style3" size="18"/><br /> PIN: <input type="hide" name="pin"  class="style3" size="18"/><br /> <input type="submit" name="submit" value="Login" class="button"  /> </form></body> </html>

I didn't test it, but you can see I replaced the n$no with a row pull, the point you need to understand is the row count will be zero because you haven't yet pulled the row, the point is still at the start.

My php code is not working fine. Doesn't check if data matches

1 Answers1