-1

i am doing a login page.admin.php page deals with the html of the login page whereas the admin_log.php page deals with the validation.i.e.whether the data is present in the database or not.

admin.php
    <body style="background-color:lightgrey;">
    <?php
    session_start();
    ?>
    <h2>ADMIN LOGIN</h2>
    <form action="admin_log.php"  method="post">
     Username: <input type="text" name="username"  required="required">
    <br><br>
     Password: <input type="password" name="password" required="required">
    <br><br>
    <input type="submit" name="submit" value="Login">
    </form>



admin_log.php   
    <?php  
    include('custdb1.php');
    session_start();

    $user=mysqli_real_escape_string($conn,$_POST['username']);
    $pass=mysqli_real_escape_string($conn,$_POST['password']);
    $fetch=$conn->query("SELECT * FROM `info` WHERE username='".$uname."' and password='".$pass."'");
    $_SESSION['info_username']=$user;
    header("Location:adm_prof.php");

    ?>

    <body style="background-color:lightgrey;">
abhi
  • 27
  • 5
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 02 '16 at 13:07
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 02 '16 at 13:07

2 Answers2

0

try this to check username password can't be empty

<?php  
 if($_POST['username'] == '' AND $_POST['password'] == '') {
 echo "Fill all data";
 } else { 

include('custdb1.php'); 

$user=mysqli_real_escape_string($conn,$_POST['username']);
$pass=mysqli_real_escape_string($conn,$_POST['password']);
$fetch=$conn->query("SELECT * FROM `info` WHERE username='".$uname."'   and password='".$pass."'");
$_SESSION['info_username']=$user;
header("Location:adm_prof.php");


 }

?>
ARUN G
  • 94
  • 1
  • 9
  • actually i need to check whether the data is present in the database or not..and if the data is present then only i will allow the user access further to the other pages.. @ARUN.G – abhi May 02 '16 at 11:32
0

try this

        $result = mysql_query("SELECT * FROM `info` WHERE username='".$uname."'   and password='".$pass."'");
        if(mysql_num_rows($result) > 0) { echo "Login success!"; }
        else { echo "User Not Found"; }
ARUN G
  • 94
  • 1
  • 9
  • Why should the OP "try this"? A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Jay Blanchard May 02 '16 at 13:06