-1

Ive tried getting this to work for an hour now, but every time the if-statement returns as false. When I change count to "count == 0" it works, but otherwise I am not able to get it to work. :/

    <?php
        $database = "passwords";

        if ($_SERVER["REQUEST_METHOD"] == "POST") {
            $passord = test_input($conn,$database,$_POST["passord"]);

            $sql = "SELECT id FROM passwords WHERE passord = '$passord'";
            $result = mysqli_query($conn,$database,$sql);
            $count = mysqli_num_rows($result);
            echo('<script>console.log("connected successfully");</script>');
            if($count == 1) {
                 header("location: stemmegivning.php");
            }
            else {
                echo '<script type="text/javascript">wrongPw ()</script>';

            }
        }
        function test_input($data) {
            $data = trim($data);
            $data = stripslashes($data);
            $data = htmlspecialchars($data);
            return $data;
        }
    ?>
Trympet
  • 55
  • 2
  • 6
  • What do you get back with `$result`? Can you share the value of that variable? Where is `$conn` coming from? – Sam May 29 '18 at 18:00
  • You should always try to add some error handling into your mysqli process so you can check for other problems like a failure of connection or bad query in my opinion. This may or may not be your issue, but may save you some time. – dmgig May 29 '18 at 18:01
  • 4
    Why do you send $conn and $database to your test_input function? It only takes one argument. – Droow May 29 '18 at 18:02
  • [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO` – GrumpyCrouton May 29 '18 at 18:05

1 Answers1

0

Do you mean to be using "passord" in location, or should that be "password"? You should only be passing one argument into your "test_input" function.

You shouldn't need to pass in your database variables because those are being supplied by you. The variable $passord should then look like this:

$passord = test_input($_POST["passord"]);

Your query statements should look like this:

$conn = mysqli_connect("[host]","[username]","[password]","[database]");
$sql = "SELECT id FROM passwords WHERE passord = '$passord'";
$result = mysqli_query($conn, $sql);
$count = mysqli_num_rows($result);
HyperTextCoffeePot
  • 406
  • 3
  • 14
  • Here's some helpful links for the stuff above: [mysqli_query](https://www.w3schools.com/php/func_mysqli_query.asp) [mysqli_connect](https://www.w3schools.com/php/func_mysqli_connect.asp) – HyperTextCoffeePot May 29 '18 at 19:45