•  02-07-2021
  •  | 
  •  

Question

I have been trying for the past four days to get this working. It's just a simple logon page, where no sensitive information is stored, but I'm having problems with the PHP.

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $uname = $_POST["login"];
    $pword = $_POST["pass"];
    $uname = htmlspecialchars($uname);
    $pword = htmlspecialchars($pword);
    $user_name = "bradf294_access";
    $password = "********";
    $database = "bradf294_clients";
    $server = "localhost";
    $db_handle = mysql_connect($server, $user_name, $password);
    $db_found = mysql_select_db($database, $db_handle);
    print(mysql_errno());
    print($db_found);
    if(isset($db_found)){
        print($db_found."Success");
        $SQL = "SELECT * FROM basicinfo WHERE ref = $uname AND pass = $pword";
        $result = mysql_query($SQL);
        print("Query made");
        print(mysql_errno());
        if ($result) {
            print("result:".$result);
        }
        else {
            print("Incorrect Login Details");
        }
        if ($result > 0) {
            print("found user");
            $errorMessage= "logged on ";
            session_start();
            $_SESSION['login'] = "1";
            header ("Location: progressuser.php");
        }
        else {
            print("Invalid Logon");
        }
    } else {
        print("Database not found. The Webmaster has been notified. Please try again   later");
        $subject = "Automated login error" ;
        $message = "An error occured whilst trying to connect to the MySQL database, to login to the progress checker" ;
        mail("a-bradfield@bradfieldandbentley.co.uk", $subject, $message);
    }

From the output on the page which I've been using to debug, it appears to be the lines which don't seem to be working, which are giving a 1054 error - "Unknown column '%s' in '%s'"

$SQL = "SELECT * FROM basicinfo WHERE ref = $uname AND pass = $pword";
$result = mysql_query($SQL)

even though I copied and pasted the $SQL string into phpMyAdmin and it worked perfectly?

Is there anything blatantly obvious I'm doing wrong? Go to http://www.bradfieldandbentley.co.uk/test/progress.php and enter the details Reference: TST001 and pass: dnatbtr121 to see the output for yourselves.

Was it helpful?

Solution

You need to quote out the variables:

$SQL = "SELECT * FROM basicinfo WHERE ref = '$uname' AND pass = '$pword'";

HOWEVER

The mysql_* functions are being deprecated - you should look at moving to PDO or mysqli_* instead. Those both make it a lot easier for you to write secure code, as well as fixing the quoting problem for you.

OTHER TIPS

Should the value in your WHERE conditions not be surrounded by quotes, like in a normal MySQL statement? Yes. Also, you are going to get a bunch of comments about SQL injection.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top