1

I have my process login set up, but when I'm trying to change rows to 0 nothing appears so i keep on having to leave the code as 1.

<?session_start();
    $usid=$_SESSION["usersid"];
    include "conninfo.php";

    $username=$_POST["username"];
    $password=$_POST["password"];

    $username = stripslashes($username);
    $password = stripslashes($password);

    $query="SELECT * 
              FROM login 
             WHERE username like '$username' AND 
                   password like '$password'"; 
    $result=mysql_query($query);
    $rows=mysql_num_rows($result);

if($rows==1)// change to 0 once login is working
{
    $_SESSION["username"]=$username; //greeting
    $r=mysql_fetch_array($result);  
    $usersid=$r["usersid"];
    $_SESSION["usersid"]=$usersid;

    header('Location: index.php');
} else {
    echo "The username and or password you have entered is not recognised";
}
?>
Prix
  • 18,774
  • 14
  • 65
  • 127
user3414573
  • 3
  • 3
  • 3
    Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). Additionally, you shouldn’t use `LIKE` comparison, otherwise one could log in using `%` for username and/or password. – Gumbo Mar 23 '14 at 09:45
  • This is *not* the right way to handle passwords ever. – Anthony Mar 23 '14 at 09:47
  • if($rows==1) means the user and password is correct. Why you want to change to 0? – ray Mar 23 '14 at 09:48
  • You **should NOT** match the password on the query and **you SHOULD NOT save password as plain text**. Match only the username and not using LIKE as to avoid ambiguous results and after with the result verify if the password is valid. – Prix Mar 23 '14 at 09:51
  • sorry if i seem a bit thick but this is how i was taught by my teacher – user3414573 Mar 23 '14 at 09:52
  • @user3414573 [here is a fine example of login using MySQLi and prepared statements](http://stackoverflow.com/a/18971788/342740). I am sorry if your teacher taught it with a deprecated library and using `stripslashes` he should go back to school. – Prix Mar 23 '14 at 09:54
  • are you doing course from virtual university because they make student to use mysql for basic course – M.chaudhry Mar 23 '14 at 10:10

1 Answers1

1

you should to use if($rows == 0) to set the session. You have to use if($rows > 0 ) or if($rows == 1 ) then set session . Fewthings, you have to check like following

  • Check whether the form is submitted or not.
  • use some encryption token to check this form is sumbitted from your website.

  • use captcha.

    so only the process will work. use this code. 

    if(isset($_POST['submit_button']))  {  // better you check form is submitted or not  
        $username=mysql_real_escapte_string($_POST["username"]);
        $password=mysql_real_escapte_string($_POST["password"]);



    $query="SELECT * FROM login WHERE username ='$username' AND password ='$password'"; 
    $result=mysql_query($query);

    $rows=mysql_num_rows($result);

    if($rows  > 0 )// change to 0 once login is working
    {
    $_SESSION["username"]=$username; //greeting
    $r=mysql_fetch_array($result);  
    $usersid=$r["usersid"];
    $_SESSION["usersid"]=$usersid;


header('Location: index.php');
    } else {
echo "The username and or password you have entered is not recognised";
    }
}
    ?>
Ananth
  • 1,438
  • 3
  • 14
  • 27