-4
<?php
session_start();
include_once ('connection.php');

if (isset($_POST['login'])){
    $uemail = $_POST['email'];
    $upassword = $_POST['password'];
 }

    $query = "SELECT * FROM users WHERE email = $uemail and password = $upassword";
    $result = mysqli_query($connection, $query);  


    if(mysql_num_rows($query) == 1){
        $_SESSION['email'] = $email;
        header('Location: newfeeds.php');
        exit();

      }else{
        while ($row = mysql_fetch_assoc($result)) {
        echo $row["email"];
        echo $row["password"];
        }
    }
    ?>

I have php manual it says stop using sql and replaced sqli but that didn't work. It throwing an errors.

Connected Successfully Fatal error: Call to undefined function mysql_num_rows() in D:\XAMPP\htdocs\codeinventor\login.php on line 14

A.L
  • 10,259
  • 10
  • 67
  • 98
Alzira Barretto
  • 153
  • 1
  • 9
  • 1
    Change to mysqli_num_rows(). Your query is not safe or secure. Look into prepared statements – Jack Mar 15 '16 at 17:06
  • Also see http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php?rq=1 – MECU Mar 15 '16 at 17:11
  • 2
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Mar 15 '16 at 17:28
  • 1
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Mar 15 '16 at 17:28
  • 1
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Mar 15 '16 at 17:28
  • You're mixing `mysql_*` and `mysqli_*` functions, which doesn't work. – Jay Blanchard Mar 15 '16 at 17:29

3 Answers3

1

Change all the mysql_* functions to mysqli_* functions.

MECU
  • 770
  • 1
  • 11
  • 25
0

You can't use mysql and mysqli together. They are separate APIs and the resources they create are incompatible with one another. So Replace mysql_* with mysqli_* will help!

Shashank Shah
  • 2,077
  • 4
  • 22
  • 46
0

I agree with all here that you should change all the mysql_* functions to mysqli_* functions.

To your code with mysql API. Please use the following code:

<?php
session_start();
include_once ('connection.php');

if ($_SERVER['REQUEST_METHOD'] === 'POST') {

   if ($_POST['email'] != "" AND $_POST['password'] != ""){

      $uemail = $_POST['email'];
      $upassword = $_POST['password'];

      $query = "SELECT * FROM users WHERE email = '$uemail' and password = '$upassword'";

      $result = mysqli_query($connection, $query);

      if(mysql_num_rows($query) == 1){

        $_SESSION['email'] = $email;
        header('Location: newfeeds.php');
        exit();

      }else{

         while ($row = mysql_fetch_assoc($result)) {

           echo $row["email"];
          echo $row["password"];

        } 
      }
   }else{

     echo "mail or password is not valid";
   }

}else{

 echo "The form has been not submitted";

}


    ?>

If one user has entered the following string as username:

' or uid like '%admin%

Your query will be like this:

  $query = "SELECT * FROM users WHERE email = '' or uid like '%admin%' and password = '$upassword'";

That's why we told you you have to change all the mysql_* functions to mysqli_* functions.

Basti
  • 261
  • 3
  • 7