PHP/MySQL Login issue

Question

I need help with creating the log in for my website and connecting it to the database.

This is php code

<?php
 session_start();
 include("dbconnect.php");
 $numrows=0;
 $member=$_GET['Membership_Number'];
 $password=$_GET['Password'];
 $query="select First_name, Last_name, Membership_Number from members where (Membership_Number='$member' && Password='$password')";
 $link = mysql_query($query);
 if (!$link) {
  die('login error');
 }
 $numrows=mysql_num_rows($link);
 if ($numrows>0){  // authentication is successfull
  $row = mysql_fetch_array($link, MYSQL_ASSOC);
  $_SESSION['user']['first_name']=$row['fname'];
  $_SESSION['user']['last_name']=$row['lname'];
  $_SESSION['user']['email']=$row['email'];
  header("location:index.php");
 } else {
  header("location:../invalid.php");  // authentication was unsuccessfull
 }
?>

This is HTML code

<form id="jjjj" method="post" action="Send_log_details.php" class="register">
        <ul>
            <li>
            Membership Number:<br>
            <input type="text" id="Membership_Number" name="Membership_Number">
            </li>
            <li>
            Password:<br>
            <input type="password"  id="Password" name="Password" value="Login">
            </li>
            <li>

            <input type="submit" name="register" value="Login" onclick="logMeIn()">             
            </li>
        </ul>
        </form>

Could someone please explain why this code does not work

Thanks

This has nothing to do with `html` or `css`. Removed the tags. — Kermit, Jan 11 '13 at 15:51
[**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). — Kermit, Jan 11 '13 at 15:52
Be aware: Your code is dangerously insecure -- passwords are not hashed at all, and none of your SQL fields are escaped. This code could be hacked within seconds by anyone. Also, as @njk says, please stop using the obsolete `mysql_xx()` functions. — SDC, Jan 11 '13 at 15:53

Muhammad Talha Akbar · Answer 1 · 2013-01-11T15:58:29.723

2

You have form with method=post and in php you are using $_GET.
Your Query isn't correct.

As @njk also commented,

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated.

edited Jan 11 '13 at 15:58

answered Jan 11 '13 at 15:51

Muhammad Talha Akbar

9,952
6
38
62

thanks - removing method=post worked, However, it does not link, and does not show first_name and last_name – Richard Jess Jan 11 '13 at 16:05
USE THIS QUERY : `SELECT First_name, Last_name, Membership_Number FROM members WHERE Membership_Number='$member' AND Password='$password';` – Muhammad Talha Akbar Jan 11 '13 at 16:12
USE THIS: `while($row = mysql_fetch_array($query)) { // here store session variables }` INSTEAD OF THIS : `$row = mysql_fetch_array($link, MYSQL_ASSOC);` – Muhammad Talha Akbar Jan 11 '13 at 16:14

score 0 · Answer 2 · edited May 23 '17 at 12:12

First of all, $_GET does not include the values of POSTed form parameters. $_POST or $_REQUEST will work, although the latter may not be wise to use because depending on the PHP configuration, it may include cookie values.

Second, $query is not valid SQL. In particular, SQL uses AND rather than &&. Also, the column names have to match the rest of your code if you use the MYSQL_ASSOC option:

$sqlMember = mysql_real_escape_string($member);
$sqlPassword = mysql_real_escape_string($password);
$query="select First_name fname, Last_name lname, Email email, Membership_Number from members where (Membership_Number='$sqlMember' and Password='$sqlPassword')";

mysql_real_escape_string() is used to prevent SQL injection. If you were using either the MySQLi extension or PDO, you would have prepared statement functionality available to you, which you should use instead.

By the way, other attacks against your application, such as login CSRF and session fixation, might be possible.

thanks for your help but still doesnt seem to work I just want it to recognise who is logged in. Even I enter zero data into Membership number& Password fields it still takes me to the membership_area. Therefore the log in still fails to work — Richard Jess, Jan 11 '13 at 16:26

PHP/MySQL Login issue

2 Answers2

Linked

Related