0

I'm trying to write some code that will connect to a database called 'user' and find data from the 'password' field. I've got this PHP written so far:

$passw = $_POST['pass'];
$user = $_POST['user'];
$users_password_db = "SELECT password FROM 'user' WHERE username=$user";

$result = $mysqli->query($users_password_db);
if ($passw != $result){
    $errors[] = "Incorrect username or password. Please try again, or contact the admin for    support.";
 }
else {
  header('Location: /dashboard.php');
   }

However, every time I log in with my correct username and password, it says that the password is wrong. I don't think this is a connection error, since I can add data into the database okay.

I'm just beginning with SQL, so sorry if this is an obvious question.

thesoundandthefury
  • 23
  • 1
  • 1
  • 4
  • 'user' is a string. Perhaps you meant \`user\`, or just user – Strawberry Oct 27 '14 at 17:44
  • Is there any encryption in you `password` field? – Ronak Patel Oct 27 '14 at 17:44
  • `$mysqli->query()` returns a mysqli_result object, not the value of `password`. You must fetch the row `$row = $result->fetch_assoc()`, then your value is `$row['password']` – Michael Berkowski Oct 27 '14 at 17:44
  • 1
    Please read through [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Your script is currently vulnerable and since you are using MySQLi, now is the time to begin learning to use `prepare()/execute()` and bind `$user` with a `?` placeholder. This will solve both the security problem and the current quoting problem. – Michael Berkowski Oct 27 '14 at 17:45
  • password with char field? – SMA Oct 27 '14 at 17:46
  • Then, the next important step is to improve your password storage for your users' security. See [How do you use bcrypt for hashing passwords in PHP?](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) to begin learning modern & secure ways of storing the password – Michael Berkowski Oct 27 '14 at 17:47

1 Answers1

0

Make sure the username and password variables are correctly named both in your php code and the database. Capitalizations matter!

Todd Matthews
  • 291
  • 2
  • 9