please reference the user properties that you want to select the SQL queries using their post variables.
something like:
$username =$_POST['username'];
$password = password=$_POST['password'];
$stmt = $db->query("SELECT * FROM users where username="$username" and password= '$password'");
While this might solve your problem but Please do not
use this code in production for fear of sql inject,html scripting Attack etc.
You can better use Mysqli Prepared statement or better use PDO.
to sanitize against html elements attack, you can use strip_tags() function
Example
$username =strip_tags($_POST['username']);
$password = strip_tags(password=$_POST['password']);
Updated Answer
Option 1 using sessions
<?php
include '../reg/db.php';
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
if ($username == ''){
echo "username is empty";
exit();
}
if ($password == ''){
echo "Password is empty";
exit();
}
$stmt = $db->prepare('SELECT * FROM users where username = :username and password = :password');
$result->execute(array(
':username' => $username, ':password' => $password));
$count = $stmt->rowCount();
$row = $result->fetch();
if( $count == 1 ) {
echo "login sucessful";
// Redirect me to a Dasboard.php to display the login user
echo "<script>window.location='dashboard.php'</script>";
//Initialize a session
session_start()
//Prevent session Fixation Attack using session generated Id;
session_regenerate_id();
// pass users info in a session if things where ok.
// Prevent xss Attack using Htmlspecialchar or htmlentities() functions
$_SESSION['name'] = htmlspecialchars($row['name']);
$_SESSION['username'] = htmlspecialchars($row['username']);
// Do not pass users password in a session
//$_SESSION['password']=htmlspecialchars($row['password']);
}
else {
echo "<font color=red>Either Username or Password is Wrong</font>";
}
?>
on dashboard.php you can now have the code below depending on your implementations…..
// initialize sessions
session_start();
// the the authenticated users parameters
Name: <?php echo $_SESSION['name']; ?><br>
userName: <?php echo $_SESSION['username']; ?><br>
option 2 No session usage
<?php
include '../reg/db.php';
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
if ($username == ''){
echo "username is empty";
exit();
}
if ($password == ''){
echo "Password is empty";
exit();
}
$stmt = $db->prepare('SELECT * FROM users where username = :username and password = :password');
$result->execute(array(
':username' => $username, ':password' => $password));
$count = $stmt->rowCount();
$row = $result->fetch();
if( $count == 1 ) {
echo "login sucessful";
// Redirect me to a Dasboard.php to display the login user
//echo "<script>window.location='dashboard.php'</script>";
$name = htmlspecialchars($row['name']);
$username = htmlspecialchars($row['username']);
echo "userame: $username </br>";
echo "Name: $name </br>";
}
else {
echo "<font color=red>Either Username or Password is Wrong</font>";
}
?>
Let me know if you are having any issue. Remember the password in the code is not hashed. it assumes plain text password is in your database..
6
solved PHP PDO, request users name