PHP / MySQLi / login script

StackOverflow https://stackoverflow.com/questions/21308503

Question

Apologies I know this is going to be a simple answer most likely, but looking for answers I think its confusing me more than just asking the question as there are so many, with confusing or sometimes contradictory answers.

My login script is working as far as connecting to the DB, submitting the $POST usr/pass getting the correct response back.

I now need to use those results to authenticate the user. So.. previously I would have used mysql_num_rows to count the DB response and if 1 then auth. But I appreciate that mysql_num_rows is depreciated and I found another post saying that this is also a weak way to do things now and that it should be avoided.

So what do I use instead? 

<form id='login' action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method='post' accept-charset='UTF-8'>
        <fieldset >
        <legend>Login</legend>
        <input type='hidden' name='submitted' id='submitted' value='1'/>

        <label for='username' >UserName*:</label>
        <input type='text' name='username' id='username' value="" maxlength="50" />

        <BR />

        <label for='password' >Password*:</label>
        <input type='password' name='password' id='password' value="" maxlength="50" />
        <BR /> 
        <input type='submit' name='Submit' value='Submit' />

        </fieldset>
</form>

<?php

if(isset($_POST['submitted'])) 
 { 
    $postname = $_POST['username'];
    $postpass = $_POST['password'];
    $postpassMD5 = md5 ($postpass);

    $query = $dbcnx->query("SELECT uid, username, password, ulevel FROM members WHERE     username = '$postname' AND password = '$postpassMD5' ");
    $result = $query->fetch_object();

    $dbcnx->close();

 }
?>
Was it helpful?

Solution

Try to count your result array.

if(count($result) > 0 )
{
    // your code
}

OTHER TIPS

You can also do this to protect from MySQL injections:

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

Also check

$count  = mysql_num_rows($result);
if($count==1)
    {
      session_start();
      session_register('user_id');
      header("location:user_page.php"); // put your mugallym page name here
    }
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top