PHP echo doesn't echo certain output

Question

So I've been fooling around on a very simple design for a database that has a feature to allow an admin to log in and edit some of the products. This is the current layout of getting the username and password from the log in form:

$manager = $_POST["username"]; 
$password = $_POST["password"];
$manager = stripslashes($manager);
$password = stripslashes($password);
$manager = mysql_real_escape_string($manager);
$password = mysql_real_escape_string($password);

I've created log in scripts before but for some reason I'm having trouble with this log in actually working. So I was checking what some variables were being passed as in order to see where the problem was occurring when I got to these lines:

echo "manager = " . $manager . "<br />";
echo "password = " . $password . "<br />";
$sql = "SELECT * FROM admin WHERE username='$manager' AND password='$password'";
echo $sql;

The output was:

manager = scott
password = password123
SELECT * FROM admin WHERE username='scott' AND password=''

where the $password variable was removed from the output of the $sql string. Any suggestions on why it is leaving out the $password variable?

Here is the HTML form code:

<form id="form1" name="form1" method="post" action="admin_login.php">
    Username:<br />
    <input name="username" type="text" id="username" size="40" />
    <br /><br />
    Password:<br />
    <input name="password" type="password" id="password" size="40" />
    <br /><br /><br />
    <input type="submit" name="button" id="button" value="Log In" />
</form>

Answer 1

To close this question:

SQL uses password() as a function and will not show a password for security reasons when using that word. Here's some documentation on it:

• https://dev.mysql.com/doc/refman/5.0/en/set-password.html
• https://dev.mysql.com/doc/refman/5.1/en/password-hashing.html

Therefore, use another name for the password variable.

---

Passwords

I also noticed that you are storing passwords in plain text. This is not recommended.

Use one of the following:

• CRYPT_BLOWFISH
• crypt()
• bcrypt()
• scrypt()
• On OPENWALL
• PBKDF2
• PBKDF2 on PHP.net
• PHP 5.5's password_hash() function.

Other links:

• PBKDF2 For PHP

---

Footnotes:

mysql_* functions deprecation notice:

http://www.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.

Documentation for MySQL can be found at » http://dev.mysql.com/doc/.

Answer 2

$sql = "SELECT * FROM admin WHERE username='" .$manager. "' And password='" .$password. "';

Try this