login failure. code doesn't steal username password from phpmyadmin

Question

Wampserver. in phpmyadmin i have added users db and user_data table. but my code doesn't work

<?php 

        include_once("sql_connect.php"); 
        session_start();
    $_SESSION['currentuser']=$_POST['usernameinput'];
         $uname = $_POST['usernameinput'];
         $pass = $_POST['passwordinput'];

         $sql = "SELECT * FROM 'user_data' WHERE(
         username='".$uname."' and  password='".$pass."')";
          $query = mysql_query($sql);

          $result = mysql_fetch_array($query);

          if($result[0]>0)
          {
          header ("location: Ghome.php");
          }
          else
          {
          header ("Location: loginform_er_incorrectlogpass.php");
          }
    ?>

When i wrote correct username and password it doesn't work. maybe something wrong with my code?

<?php
    session_start(); # Starts the session

    session_unset(); #removes all the variables in the session

    session_destroy(); #destroys the session

include ("LoginForm.php");
echo "<p align='center'><font color='red'>Неправильно указан Логин или Пароль.</font></p>";
?>

Do you really store passwords in plain text in the database? Don't do that! — Lorenz Meyer, Oct 28 '15 at 11:46
What do you mean by "doesn't work"? What are error messages, what is your test data, etc? You should give more information to get an answer. — Egor Rogov, Oct 28 '15 at 12:29

score 0 · Answer 1 · edited Nov 11 '15 at 08:29

0

replace this

$query = mysql_query($sql)

with the following

$query = mysql_query($sql) or die(mysql_error());

and see what error you are getting

edited Nov 11 '15 at 08:29

marc_s

732,580
175
1,330
1,459

answered Oct 28 '15 at 11:47

rsb

412
4
14

( ! ) Parse error: syntax error, unexpected '$result' (T_VARIABLE) $result = mysql_fetch_array($qury); – Arevik Akopian Oct 28 '15 at 11:51

score 0 · Answer 2 · edited May 23 '17 at 10:27

To fix your current problem, remove the quotes around the table name and get used to using back ticks instead.

SELECT * FROM `user_data` ...

Not this:

SELECT * FROM 'user_data' ...

(Technically, you don't even need the back ticks here, but using them is a good practice and will help catch a variety of typos down the road.)

Some additional pointers:

Never store passwords as plain text; this is extremely bad security practice. Use hashing and salting. Specifically, use bcrypt.
Please don't use mysql_*; the mysql_* functions are outdated, deprecated, and insecure. Use MySQLi or PDO instead.
You are wide open to SQL injection.

score 0 · Answer 3 · edited Nov 11 '15 at 08:28

You were incorrectly using single quotes around the table name in your sql - you should use backticks instead. Also, there was no check for POSTed variables. Ideally though, to avoid heartache in the future, look at migrating to use either mysqli or PDO. At the very least try some basic filtering of provided POST data

<?php 
    session_start();
    include_once("sql_connect.php"); 

    if( isset( $_POST['usernameinput'] ) && isset( $_POST['passwordinput'] ) ){
        $uname = mysql_real_escape_string( $_POST['usernameinput'] );
        $pass = mysql_real_escape_string( $_POST['passwordinput'] );
        $_SESSION['currentuser']=$uname;

        $sql = "SELECT * FROM `user_data` WHERE `username`='".$uname."' and  `password`='".$pass."';";
        $query = mysql_query( $sql );

        $result = mysql_fetch_array( $query );
        header('location: ' .( $result[0]>0 ) ? 'Ghome.php' : 'loginform_er_incorrectlogpass.php' );
    }
?>

login failure. code doesn't steal username password from phpmyadmin

3 Answers3