1

I have a basic login code, where the user enters a username and a password, hits 'Submit', and then a mySQL query checks in the database if the username corresponds to the password.

Here is the query, with 'pseudo' as the username typed by the user and 'mot_de_passe' as the password typed in.

$reponse = $bdd->query('SELECT * FROM user_data WHERE username = '.$_POST['pseudo'].' AND password = '.$_POST['mot_de_passe'].' ');

Without the 'AND...' part, I can check if the username exists, but then when I add the 'AND...' part, the query doesn't work, and the 'AND' is not in the same color as 'SELECT * FROM'and 'WHERE'

I have tried dots, simple quotes, quotes, but nothing changes.

Thanks in advance.

Hugo Trombert
  • 25
  • 1
  • 8
  • 1
    1.don't use plain password, use password hashing.2.try to use `prepared statements` to prevent from SQL INJECTION. – Alive to die - Anant Oct 14 '17 at 09:04
  • 1
    Use prepared statements and you won't have to worry about the pesky quoting issues – Rotimi Oct 14 '17 at 09:04
  • Incidentally, part of the beauty of this method is that it allows the use of parametrised queries. It would be foolish not to use them. – Strawberry Oct 14 '17 at 09:05
  • Put it all in side double qoutes - "'. $_POST['pseudo'] .'" Put you should not be doing this please look into prepared statements – Sean Konig Oct 14 '17 at 09:15
  • Possible duplicate of [When to use single quotes, double quotes, and backticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) – Qirel Oct 14 '17 at 09:50
  • Check [this](https://stackoverflow.com/a/46742866/3410932) answer. – Girish Oct 14 '17 at 10:17
  • Thanks a lot! Prepared statements solved it. Will use password hashing for sure ;) – Hugo Trombert Oct 14 '17 at 12:03

2 Answers2

1

You must use " or ' about string in SQL

$reponse = $bdd->query('SELECT * FROM user_data WHERE username = "'.$_POST['pseudo'].'" AND password = "'.$_POST['mot_de_passe'].'" ');

And your code can't prevent SQL INJECTION attack.

Please use prepared statement or bind param.

Star_Man
  • 1,091
  • 1
  • 13
  • 30
0

Use the below code and check weather it works or not.

    $reponse = $bdd->query('SELECT * FROM user_data WHERE username = ' . 
    $_POST['pseudo'] . ' AND password = ' . $_POST['mot_de_passe'] );

also check your password type stored in your database and try to match that

   $reponse = $bdd->query('SELECT * FROM user_data WHERE password = ' . 
    $_POST['mot_de_passe'] );

if working then check your database keys and match your password spelling and things like that..

I AM A Hacker
  • 113
  • 1
  • 1
  • 10