Question
I'm trying to do a simple login, which compares the input of the ID and password by the user with the data in the database
https://stackoverflow.com/questions/22085555
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian//getting the inputs
$checkid = $_POST["id"];
$checkpassword = md5($_POST["pass"]);
//getting the id and password of the id and password of the inputs
$query = "SELECT id, password FROM login WHERE id=$checkid AND password=$checkpassword";
$res = mysqli_query($link, $query);
$nres = mysqli_num_rows($res);
//$nres should be 0 if the user inputs the right id but the wrong password
//or viceversa, the only way that it $nres!=0 is that both inputs match the db, right?
if ($nres == 0) {
header('Location: http://localhost:8888/login/login_fail.php');
else
header('Location: http://localhost:8888/profile/profile.php');
exit();
it doesn't work, even if i put the right ID and the password that are on the database it will redirect to login_fail.php. Note: it does work if i do it just with he ID and take out of the query " ,password" "AND password = $checkpassword". Help
Solution
Add quotes to your variables:
"SELECT id, password FROM login WHERE id='$checkid' AND password='$checkpassword'"
^ ^ ^ ^
Sidenote: Don't use md5, it's now insecure to use as password storage.
For password storage, either use bcrypt or PHP's password() function.
And see this article also
Also noted in comments by others, use mysqli_real_escape_string():
$checkid=mysqli_real_escape_string($link,$_POST['id']);
OTHER TIPS
Try the query:
$query = "SELECT id, password FROM login WHERE id='".$checkid."' AND password='".$checkpassword."'";
