[Solved] PHP Login & MySql Query


There are a few problems with your script.

First off, you start by using PDO to connect to the database, then you use mysql_* functions (which are deprecated, stick to PDO !!!). Plus, you are not properly escaping your data, and your code is potentially vulnerable to SQL injection.

Secondly, the query you are using is … not good.

// this is not checking for either the user input data !!!
$qry = "SELECT login FROM users WHERE login = 'admin'"; 

Your verification code should be something like this:

$ps = $bdd->prepare("SELECT COUNT(*) FROM users WHERE login = :login AND pass = :password");
$params = array("login" => $_POST['login'], "password" => $_POST['password']);
$ps->execute($params);

$status = (bool) $ps->fetchColumn(0);

if ($status) {
    // login successful
} else {
    // login failed
}  

Read up on PDO and prepared statements (they automatically escape your data, so you don’t have to).

Note:

If you don’t use prepared statements in future code, remember to always escape input from users and pretty much any other source of information.

0

solved PHP Login & MySql Query