PHP if statement use in login page

Question

Hello I have been having some issues when using(trying to use) an if statement within my php program, I have looked at tutorials and didnt really understand, so I'm looking for someone to understand where I've gone wrong.

I am making a login system for my computer science project and would like to validate the username and password which then moves onto another page or displays an error message. I understand my code isnt the best but im only a beginner.

<?php


    $username = "username";

    $password = "password";

    $hostname = "localhost";



    error_reporting(E_ALL); ini_set('display_errors', 1);



//connection to phpmyadmin

    $dbhandle = mysqli_connect($hostname, $username, $password, '1012405') or die("Unable to connect to MySQL");






$sqlLogin = "SELECT * FROM users WHERE email='".$_POST['email']."'
 AND password='".$_POST['email']."'
";
        $log = mysqli_query($dbhandle,$sqlLogin) or die("Unable to insert to login");

        if $sqlLogin > 0{
            header('Refresh: 3; url=stockInputForBusiness.html');
}       else{
            echo"Incorrect Credentials";
}



?>

You can't do `$sqlLogin > 0`. Hint, check the origin of `$sqlLogin` — Rotimi, Apr 26 '17 at 11:16
They should have taught you that you never under any circumstance directly post from your html form into your database. Whether a simple search or save/update or delete. — Rotimi, Apr 26 '17 at 11:17
Furthermore you should take a look at SQL Injections: http://stackoverflow.com/questions/601300/what-is-sql-injection#601524 — Eknoes, Apr 26 '17 at 11:18
Hi, you have to write it like that if($sqlLogin){your condition}. — Muhammad Umar, Apr 26 '17 at 11:21
So the username is the same as the password? `$_POST['email']` for both. — Qirel, Apr 26 '17 at 11:22
`$sqlLogin` is just a string, why are you using this in `if` condition to check if a user is authenticated/valid or not. Use [`mysqli_num_rows()`](http://php.net/manual/en/mysqli-result.num-rows.php) function instead. And look at the issue @Qirel pointed above ^. — Rajdeep Paul, Apr 26 '17 at 11:25

Ahmed Ginani · Answer 1 · 2017-04-26T11:42:15.130

0

There is a lots of stuff to do in your code you can find it and solve out one by one. Best thing is doing by trying. here is my code of login script you can use it for reference.

     if(isset($_POST['submit']))
        {
         $email= $_POST['email'];
         $password= $_POST['password'];
        $email = addslashes($email);
$password = addslashes($password);
$email = mysqli_real_escape_string($link, $email);
$password = mysqli_real_escape_string($link, $password);

         $seladmin ="SELECT id,UserName,Password FROM login WHERE email='$email' && Password='$password'";
         $SelRecAdmin = mysqli_query( $link,$seladmin );

        $row = mysqli_fetch_array($SelRecAdmin); 

        $tot_num_row=mysqli_num_rows($SelRecAdmin);
        if($tot_num_row >0)
        {
          // echo"sucess";
        }
        else
        {
         // echo"unsucess";
        }

edited Apr 26 '17 at 11:42

answered Apr 26 '17 at 11:37

Ahmed Ginani

6,060
1
11
31

1

Please use prepared statements, your query is prone to sql injections. Or if you must then atleast escape the content before passing it in the query. – Niek van der Maaden Apr 26 '17 at 11:41
Thanks @NiekvanderMaaden – Ahmed Ginani Apr 26 '17 at 11:43
You should drop `mysqli_real_escape_string()` and `addslashes()` and utilize prepared statements with placeholders instead. You should also note that passwords should be hashed (`password_hash()`). – Qirel Apr 26 '17 at 13:19

PHP if statement use in login page

1 Answers1