1

I am having trouble with my login form, I am trying to make the user login with their email address, password and a passphrase however it is not letting me login, even though I am using correct credentials.

Here is my code

    <?php
//set vars
$userM = $_POST['userM'];
$passphrase = $_POST['passphrase'];
$pword = $_POST['pword'];

if ($userM&&$pword&&$passphrase) 
{
//connect to db
$connect = mysql_connect("localhost","cl49-XXX","XXX") or die("not connecting");

$query = mysql_query("SELECT * FROM member WHERE email='$userM'");

$numrows = mysql_num_rows($query);


if ($numrows!=0)
{
//while loop
  while ($row = mysql_fetch_assoc($query))
  {
    $email = $row['email'];
    $password = $row['password'];
    $passphrase = $row['passphrase'];
  }  


      die("incorrect username/password/passphrase!");
  }
else
  echo "user does not exist!";
} 
else
    die("please enter a username and password along with passphrase!");
?>

When I fill out the login form with the correct data I am shown user does not exist!

Can anyone help?

  • Cleanse your input, there be security holes :o – Connor Tumbleson Nov 17 '13 at 18:15
  • Your script is vulnerable to SQL injections, you should [fix that](http://stackoverflow.com/q/60174/53114). – Gumbo Nov 17 '13 at 18:17
  • Does $userM exist in member table? This is the first checking. – jacouh Nov 17 '13 at 18:22
  • 1
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Nov 17 '13 at 18:22

1 Answers1

1

You have forgotten mysql_select_db():

//...
$connect = mysql_connect("localhost","cl49-XXX","XXX") or die("not connecting");

//
// here this misses!!!
//
mysql_select_db("MyDataBase");
//

$query = mysql_query("SELECT * FROM member WHERE email='$userM'");
$numrows = mysql_num_rows($query);

//...

More, as suggested in comments, all your code should be converted into PDO or MySQLi.

jacouh
  • 8,473
  • 5
  • 32
  • 43