-3

$user = filter_input(INPUT_POST, 'username');
$pass = filter_input(INPUT_POST, 'password');


$conn = new mysqli ('localhost', 'root', '', 'webexam');

if (mysqli_connect_error()){
    die('Connect Error ('. mysqli_connect_errno() .') '
    . mysqli_connect_error());
    }
else{


$sql="SELECT username FROM account WHERE username='$user' AND password='$pass'";

if($user==$sql){
    echo"LOGIN success";

}else{
    echo"Check yo password";
}    
}

?> I am planning to do login and registering system. Registering side is complete but seems like there is a problem in login side. Currently I am trying to compare the username that inserted and username that is in DB. But it is no go, please help. Thank you in advance.

Meld
  • 19
  • 5
  • 2
    Never store plain text passwords. Learn about prepared statements to prevent sql injection. Have you tried to print out the sql statement and took a look if it is what you expect? – Jens Nov 16 '19 at 02:09
  • 1
    You're not actually executing the query. And you should be using a prepared statement to protect yourself from SQL injection. And you should not be storing passwords in plain text, use `password_hash` and `password_verify` instead. – Nick Nov 16 '19 at 02:12
  • Hello Meld. It is very good you are trying to learn. Unfortunately, tutorials you are using are severely outdated and outright dangerous. Please see [how to connect](https://phpdelusions.net/mysqli/mysqli_connect) and [how to select](https://phpdelusions.net/mysqli_examples/prepared_select) properly – Your Common Sense Nov 16 '19 at 08:02
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Nov 16 '19 at 18:40
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Nov 16 '19 at 18:40
  • Please read: [Should we ever check for mysqli_connect() errors manually?](https://stackoverflow.com/q/58808332/1839439) – Dharman Nov 16 '19 at 18:40
  • Does this answer your question? [How to include a PHP variable inside a MySQL statement](https://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-statement) – Dharman Nov 16 '19 at 18:41

1 Answers1

-1

Use query like 

$sql="SELECT username FROM account WHERE username='$user' AND password='$pass'";
$result = mysqli_query($conn, $sql);

after that check result array with help of print_r LIke

print_r($result);

After that compare user condition

A.Jain
  • 60
  • 8
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Nov 16 '19 at 18:40