0

I'm developing a php site right now. I was making the login page and when i checked if the login code works, it printed the whole prepare line.

output:

  prepare("select * from login_details where user = ? && pass= ?;");
  $stmt>bindValue(1, $name); $stmt->bindValue(2, $pass); $stmt->execute;
  $row = $stmt->fetchall(PDO::FETCH_ASSOC); while ($row) { echo "
  Failed
  "; } ?

and my code was, 

  <body>
  <?php
  include 'connect.php';
  if(isset($_POST['username']) && isset($_POST['pass'])){
  $name=htmlentities($_POST['username']);
  $pass=htmlentities($_POST['pass']);
  }
  $stmt= $dbh->prepare("select * from login_details where user = ? && pass=                                                          ?;"); 
  $stmt->bindValue(1, $name);
  $stmt->bindValue(2, $pass);
  $stmt->execute;
  $row = $stmt->fetchall(PDO::FETCH_ASSOC);
  while ($row) {    
  echo "<h2>Failed</h2>";
  }
  ?></body>
Nandha gopal
  • 17
  • 3
  • Please go through your code, i'm sure some line wasn't properly ended – Mueyiwa Moses Ikomi May 19 '16 at 05:00
  • In mysql query - select * from login_details where user = ? AND pass= ?; use 'AND' instead of && – Afshan Shujat May 19 '16 at 05:01
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.2/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and never store passwords as plain-text. – tadman May 19 '16 at 05:09

1 Answers1

0
 ("select * from login_details where user = ? and pass=? ");

It's and and not &&. You should not add a terminating semicolon to the statement.

Mueyiwa Moses Ikomi
  • 1,069
  • 2
  • 12
  • 26