-2

I wrote a PHP code with MySQL for a login form. Now I heard it's better to use MySQLi - so I tried to rewrite the code. This is my working MySQL code:

$username = $_POST["username"];
$password = md5($_POST["password"]);

$query = "SELECT username, password FROM accounts WHERE username LIKE '$username' LIMIT 1";
$result = mysql_query($query);
$row = mysql_fetch_object($result);

if($row->password == $password)
    {
    echo "<h3>Hallo $username</h3>";
    $_SESSION["username"] = $username;

    echo "Login succesfully:";
    }
else
    {
    echo "Login not succesfully";
    }

To use MySQLi I tried to change it to the following: 

$username = $_POST["username"];
$password = md5($_POST["password"]);

$query = "SELECT username, password FROM accounts WHERE username LIKE '$username' LIMIT 1";
$result = mysqli_query($query);
$row = mysqli_fetch_object($result);

if($row->password == $password)
    {
    echo "<h3>Hallo $username</h3>";
    $_SESSION["username"] = $username;

    echo "Login succesfully:";
    }
else
    {
    echo "Login not succesfully";
    }

But unfortunately this does not work.

coder
  • 299
  • 4
  • 12
  • 2
    `"Does not work"` is not an error message - whats not working – Steve Oct 15 '15 at 12:04
  • Plenty of things could be causing this, you aren't doing any error checking on your queries. – Epodax Oct 15 '15 at 12:05
  • @Steve I see. After the changes I just get a blank pages. But there are no syntax errors. – coder Oct 15 '15 at 12:05
  • 1
    With `mysqli_` you have to specify the connection you are using when you run the query. Have you updated your DB connection to use mysqli? – Geoff Atkins Oct 15 '15 at 12:06
  • @GeoffAtkins Yes I have a mysqli DB connection which is working. – coder Oct 15 '15 at 12:07
  • You really shouldn't use MD5 password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Oct 15 '15 at 12:07
  • A blank page means you have error reporting off - change that and you will know where to start – Steve Oct 15 '15 at 12:08
  • Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Oct 15 '15 at 12:08
  • Then see @Pupil's answer, that's the one error I saw in your code. – Geoff Atkins Oct 15 '15 at 12:09
  • You're not taking advantage of one of the key benefits of using an updated database library... query parameters. Your code is *wide open* to SQL injection attacks. – David Oct 15 '15 at 12:13
  • @GeoffAtkins You're right, his answer was the solution. Thank you guys for the help and Jay Blanchard for the information about the password. – coder Oct 15 '15 at 12:13
  • I think you should follow a tutorial. This is a simple task and you need a lot more info about PHP/databases then this question will provide. I suggest you look up PDO as well and you need more focus on security. Tutsplus has a good article on the difference: http://code.tutsplus.com/tutorials/pdo-vs-mysqli-which-should-you-use--net-24059 – Lohardt Oct 15 '15 at 12:15
  • Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Uyghur Lives Matter Oct 15 '15 at 13:44

1 Answers1

2

You need to pass database connection string to mysqli_query() as first parameter and the SQL string as second parameter.

In your case, you are passing only one parameter.

That is why it is not working.

Corrected code:

$result = mysqli_query($con,$query);
Pupil
  • 23,834
  • 6
  • 44
  • 66