0
$myusername = mysqli_real_escape_string($dbc,$_POST['username']);
$mypassword = mysqli_real_escape_string($dbc,$_POST['Password']); 

$sql = "SELECT id FROM Users WHERE email = '$myusername' and pass = 
'$mypassword'";

$r = @mysqli_query($dbc,$sql);
$row = mysqli_fetch_array($r,MYSQLI_ASSOC);
$active = $row['active'];


$count = mysqli_num_rows($r);
print $count;

if($count == 1) {

header('Location: http://localhost/Hw3/index.php');

}else {

     echo '<p class="error">Your Login Name or Password is invalid</p>';
  }

I'm trying to get the username and password from the database and check if they are current by using $count = mysqli_num_rows($r); but count always returns 0 even when the username and password are correct.

Machavity
  • 30,841
  • 27
  • 92
  • 100
adonis peguero
  • 1
  • 2
    Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Nov 01 '17 at 22:39
  • 1
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use manual escaping and string interpolation or concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). Accidentally unescaped data is a serious risk. Using bound parameters is less verbose and easier to review to check you’re doing it properly. – tadman Nov 01 '17 at 22:39
  • 1
    **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text**. – tadman Nov 01 '17 at 22:39
  • 2
    **WARNING**: Using the error-suppressing `@` operator obscures problems with your code and makes debugging issues like this a whole lot more complicated. That's a tool of last resort and should only be used in exceptional circumstances. You should display an error message for the user, log a problem, initiate some kind of retry, or all of these things in conjunction. – tadman Nov 01 '17 at 22:40
  • Don't store your passwords as plain text. You're exposing your users to a security breach – Machavity Nov 01 '17 at 22:51
  • `SELECT id` and you're using another row. Other things could be failing also. – Funk Forty Niner Nov 01 '17 at 23:03

0 Answers0