0

What is physically wrong with this code.

<?php
require "conn.php";
$user_name = "1234";
$user_pass = "4321";
$mysql_qry = "SELECT * FROM employee_data WHERE username like '$user_name' 
&& password like '$user_pass';";
$result = mysqli_query($conn, $mysql_qry);
if(mysqli_num_rows($result > 0) {
echo "login success";
}
else{
echo "login not success";
}

?>

(when I run it on the local host, there is nothing there [localhost/login.php])

  • check for errors! (mysqli_error) – Jeff Jul 06 '17 at 10:27
  • all of the username and password are in the mysql database –  Jul 06 '17 at 10:27
  • What errors are you talking about? –  Jul 06 '17 at 10:28
  • the errors you'll get back from mysqli if the query fails. Also enable [php error_reporting](http://php.net/manual/en/function.error-reporting.php) – Jeff Jul 06 '17 at 10:30
  • You see nothing because the comilation fails. Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser. – RiggsFolly Jul 06 '17 at 10:36
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jul 06 '17 at 10:37
  • Please be a bit more specific. I am a beginner. –  Jul 06 '17 at 10:40
  • Apart from the missing bracket after if(mysqli_num_rows($result) > 0) reported by Atal Prateek, your code is trivially exploitable by an attacker in two ways: Bypass the check by using a password of % which is a meta-character for LIKE. The second way is to exploit the username by SQL Injection - you should be using prepared statements to avoid that, google the term or find info on it on stackoverflow e.g. https://stackoverflow.com/questions/16282103/php-mysqli-prevent-sql-injection. Also, remove the ending semicolon from the query you don't need it. – Adder Jul 06 '17 at 10:41

3 Answers3

0

You have a missing bracket in if statement after '$result'. it should be

if(mysqli_num_rows($result) > 0)
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Atal Prateek
  • 541
  • 3
  • 7
0

you should remove ; from the query string

before

"SELECT * FROM employee_data WHERE username like '$user_name' 
&& password like '$user_pass';";

after
and also you can use && or and keyword

 "SELECT * FROM employee_data WHERE username like '".$user_name."' 
and password like '".$user_pass."'";

and write syntax near if condition missing rounded bracket

if(mysqli_num_rows($result) > 0) {
echo "login success";
}
else{
echo "login not success";
}
Bhargav Chudasama
  • 6,928
  • 5
  • 21
  • 39
0

Try this:

<?php
require "conn.php";
$user_name = "1234";
$user_pass = "4321";
$mysql_qry = "SELECT * FROM employee_data WHERE username like '$user_name' 
               && password like '$user_pass';";
$result = mysqli_query($conn, $mysql_qry);
if(mysqli_num_rows($result) > 0) {
   echo "login success";
}
else{
   echo "login not success";
}
?>

you had one problem. Refer http://php.net/manual/en/mysqli-result.num-rows.php

if(mysqli_num_rows($result) > 0)
Vasanth
  • 443
  • 7
  • 16