-2
<?php

//CONNECT TO DATABASE

$db_host="localhost";
$db_username="root";
$db_pass="";
$db_name="admin";


    @mysql_connect("$db_host","$db_username","$db_pass","$db_name")
     or die ("not connect");
     @mysql_select_db("$db_name") or die ("no database");

     echo "succesful connection";

//THEN I CHECK THE VALUES FROM MY FORM

    if($_SERVER ['REQUEST_METHOD']=='POST'){

        $username=$_POST['username'];
        $password=$_POST['password'];

        $username=htmlspecialchars($username);
        $password=htmlspecialchars($password);

//SEARCH INTO MY DATABASE TABLE

        $SQL="SELECT * FROM members WHERE`` username=$username AND  password=$password ";
        $result=mysql_query($SQL);

//BASED ON MY RESULTS I GIVE TO SESSION VARIABLE A VALUE 1 OR "" AND REDIRECT TO INDEX.PHP

        if($result){
            $num_rows=mysql_num_rows($result);
            if($num_rows>0){
                session_start();
                $_SESSION['check']="1";
                header ("Location:index.php");
            }
            else{
                session_start();
                $_SESSION['check']="";
                header ("Location:index.php");

            }
        }

    }



    ?>
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Chris
  • 13
  • 5
  • 1
    What error does it display ? What's your problem exactly ? – Cr3aHal0 May 12 '15 at 12:35
  • You might want to edit your question to explain what doesn't work. Did you get an error message, did it crash, or did it do something different than expected, and if yes, what ? – Tilman Hausherr May 12 '15 at 12:37
  • 1
    Hem... and Is it me or you're trying to log in with password in clear text, without any encryption ? :/ – Cr3aHal0 May 12 '15 at 12:37
  • 1
    Btw, you are risking sql injections by using mysql_query. Change this, unless you work at Sony :-) See also https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Tilman Hausherr May 12 '15 at 12:39
  • 2
    [Your script is at risk for SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and consider using PDO, [it's not as hard as you think](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard May 12 '15 at 12:40
  • Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard May 12 '15 at 12:40
  • 1
    Before you build your own login system you should understand some things. [Don't limit passwords](http://jayblanchard.net/security_fail_passwords.html) and [use the proper methods to hash passwords with PHP](http://jayblanchard.net/proper_password_hashing_with_PHP.html). – Jay Blanchard May 12 '15 at 12:43
  • it'doesn't show me any error.It only shows me that my connection is succesful,and that's it.The problem is that it doesn't redirect me to index.php.Thank you very much – Chris May 12 '15 at 12:45
  • That is impossible @Chris, there are syntax errors in the query itself. You're suppressing a lot of error reporting here. Remove all of the `@` signs. – Jay Blanchard May 12 '15 at 12:47
  • 1
    I remove them and i change to mysql to mysqli and i get error Warning: mysqli_select_db() expects exactly 2 parameters, 1 given in C:\Program Files (x86)\EasyPHP-DevServer-14.1VC11\data\localweb\projects\signin\logon.php on line 9 no database – Chris May 12 '15 at 12:54
  • You cannot just change to `mysqli_*`, you have to do some other things, like learn the differences in the functions and make sure you make the changes according to the docs. – Jay Blanchard May 12 '15 at 12:55
  • i keep my mysql and I change my sql query(SELECT.......) and it works fine.Should i also change my mysql to mysqli for security reasons? – Chris May 12 '15 at 13:07
  • You should change to MySQLi or PDO and use parametrized queries to prevent SQL Injection. – Jay Blanchard May 12 '15 at 13:33

2 Answers2

0

@mysql_connect and @mysql_select_db: Please don't do that,

  1. Use mysqli instead of the deprecated mysql extension, see Why shouldn't I use mysql_* functions in PHP?

  2. There is a reason why functions maybe throws errors, you should handle it, instead of using @ so they don't show up.

To your problem: Look at your sql statement: $SQL="SELECT * FROM members WHERE`` username=$username AND password=$password ";

That doesn't work, you pass $password as plain text for the password, not the value of this var, try: $SQL='SELECT * FROM members WHERE username="' . $username . '" AND password="' . $password . '";

Community
  • 1
  • 1
Florian
  • 2,796
  • 1
  • 15
  • 25
  • 1
    this should be an comment bcz it's not an answer. – ajaykumartak May 12 '15 at 12:40
  • `session_start()` should also be at the top of the page right? - that bit of code doesn't work because there's an `echo` in front of it as well ;P I upvoted your answer due to so many code issues being there and I'm at work so if you have time you can add this to your answer ;) – SidOfc May 12 '15 at 12:54
  • I see no `echo` in front of what? :) Sure, there are some other code issues, too, but the main "problem" should be this. There is a `session_start()` call before he sets the first sesion var, which should work, before there isn't any output before that, but you're right, the session should be started as early as possible. – Florian May 12 '15 at 13:03
-1

I think you have issue in your sql query. So try this

$SQL="SELECT * FROM members WHERE `username`='".$username."' AND  `password`='".$password."' ";

Issue :

1) You are using direct $username without single quote so if username is string it will not work

2) check that special character you are using after WHERE

ajaykumartak
  • 776
  • 9
  • 29