0

as stated in my username, desperately need help so sorry if its a duplicate post!

I'm trying to do up a login page that redirects me to my home page if authentication fails so my input will cross check with the database(mysql) then output either successful or error. but the result always show error. im pretty sure that it didnt went into my 1st if checking statement.

As shown below is my code:

<?php
$servername = "localhost";
$username = "read";
$password = "projecttest";
$dbname = "test-member";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
} 

$password1 = $_POST["password"];
$username1 = $_POST["username"];

$chkpassword = " SELECT password FROM member WHERE password = $password1 ";
$chkusername = " SELECT username FROM member WHERE username = $username1";

if ($conn->query($chkpassword) == TRUE ) {   
echo "successful log in"
?>
<INPUT TYPE="hidden" NAME="redirect" 
VALUE="http://localhost/IPproject_test1/home.php">
<?php
}

else if ($conn->query($chkpassword) == FALSE ) {   
echo "error";
}
$conn->close();
?>
DesperatelyNeedHelp
  • 11
  • 3
  • 1
    **Danger** don't store your passwords as plain text. The public internet is crawling with cybercriminals. Lots of people call it the "dirty wire". Please *please* read this. http://php.net/manual/en/faq.passwords.php – O. Jones Mar 23 '18 at 18:46

1 Answers1

0

The issue is your query.

Let's assume the user enters as password asdf1234. Your query would look like this:

SELECT password FROM member WHERE password = asdf1234

That will fail because MySQL thinks asdf1234 is a column. If you escape the string, it should work.

$chkpassword = "SELECT password FROM member WHERE password = '{$password}'"

So the query looks like this:

SELECT password FROM member WHERE password = 'asdf1234'

I still wouldn't check on == TRUE tho, but on !== null

Realitätsverlust
  • 3,941
  • 2
  • 22
  • 46