0

So i'm trying to get the number (or just when the user is found a 1 pops up)of the user im logging into as from the input fields which i have made in phpmyadmin. When i enter something completely random i get 0 as the randomly entered letters arent in my database so it isnt found in the database, however when i enter the actual login and password from one of the users i get 0 instead of 1 which would mean that that user was found from the database. im not sure if i can link the database but here it is: http://localhost/phpmyadmin/sql.php?db=mysqldb1&table=users&token=dbc781132ba546cedab4644522745917&pos=0 here are the codes: here is login.html

<html>
    <head>
        <title> MYSQL </title>
        <script
         src="https://code.jquery.com/jquery-3.3.1.js" integrity="sha256-2Kok7MbOyxpgUVvAk/HJ2jigOSYS2auK4Pfzbm7uH60=" crossorigin="anonymous">
        </script> 
    </head>
    <body>
    <div id="status"></div>
    <input id="login" placeholder="Login"><br>
<input type="password" id="pass" placeholder="Password"  ><br>
    <button id="entry"> Login </button>
    <script>
    $("#entry").click(function(){
        $.post("check.php", {login: $("#login").val(), password: $("#pass").val()},
        function(result){
        $("#status").html(result);

    })
})
    </script>
    </body>
 </html>

here is the php code

  <?php
    $login=$_POST['login'];
    $password=$_POST['password'];

    echo $login.$password;

    require "config/con1.php";

    $sql= "SELECT id FROM users WHERE login='$login' AND password='$password' ";

    $result=mysqli_query($con, $sql);
    $value = mysqli_num_rows($result);
    echo $value;

    ?>
unknown programmer
  • 13
  • 6
  • 1
    Further reading: [How to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1), [Prepared Statements](http://php.net/manual/en/mysqli.prepare.php), [Bound Parameters](http://php.net/manual/en/mysqli-stmt.bind-param.php) and [Password Hashing](http://php.net/manual/en/function.password-hash.php). – CD001 May 18 '18 at 13:10

1 Answers1

1

When you require or include something, the code within that file is run within the same scope as the code where the command is issued. This means that anything that you do within the included file effects the rest of your code within this scope, including assigning values to variables.

Specific relevant quote from the official docs:

When a file is included, the code it contains inherits the variable scope of the line on which the include occurs. Any variables available at that line in the calling file will be available within the called file, from that point forward. However, all functions and classes defined in the included file have the global scope.

You are currently doing $password=$_POST['password']; near the top of your file. Then you require "config/con1.php";. If you assign a new value to $password within con1.php (which you were), that value will carry over back to your main file (check.php).

You can solve this either by moving require "config/con1.php"; to the top of check.php or by using different variable names within con1.php (or both).

Patrick Q
  • 6,373
  • 2
  • 25
  • 34