0

Here's the problem i'm having.

I've created a login page where the user enter his name and pass to enter. The database has already been created and i store the entered login info in session variable.

On clicking submit, i redirect the user to the page where php accesses the mysql database and searches the database for the user name and pass combination using session variables.

And there is the problem. The session variables cannot access the database table entries.

here is my code :

<?php
//starting the session
session_start();

//connecting to database and table "testdb"
@mysql_connect("localhost","root","") or die("no connect");
@mysql_select_db("testdb") or die ("no select");


//the session variables holding the username and password
//trying to access the entries in table named "table"
$sql="SELECT * FROM `table` WHERE name='.$_SESSION['uname'].' AND
pass='.$_SESSION['pass'].'";

$query=mysql_query($sql);

//printing the result which is just one entry
while($result=mysql_fetch_array($query))

{

echo $result['name'].' ';
echo $result['pass'];

}

?>

i don't know what the error is or if i'm using the syntax wrong. i've not written comments on the actual code...this is just an identical example :D

I'm not looking for alternates cause i'm in the learning stages as of now. So any fix to this code will be greatly appreciated.

PS: I don't know java script.

Improve this question
2
  • in your die method try this: or die(mysql_error()); it will give the perfect error of what's going wrong! Commented Jul 4, 2013 at 14:02
  • i have actually used that....this was just an example....i'm now looking at how to make it sql injection proof....and looking at what PDO is....thanks for the reply anyway... Commented Jul 6, 2013 at 7:23

3 Answers 3

Reset to default
2

Your string syntax is incorrect and this will actually generate a parse error

$sql = "SELECT * FROM `table` WHERE name='" .$_SESSION['uname']. "' AND
pass = '" .$_SESSION['pass'] ."'";

You need to actually close the string before using $_SESSION['key'], or leave off the quotes so it will be interpolated.

This code is also highly vulnerable to injection. You should use parameterized queries with PDO.

$stmt = $pdo->prepare("SELECT * FROM `table` WHERE name = ? AND pass = ?");
$stmt->execute(array($_SESSION['uname'], $_SESSION['pass']));
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

i'm still not familiar with this concept of php..will look into it. thanks for th help....learning something new everyday
0

Your query has syntax errors. You either need to put double quotes around your sessions values or use curly brackets instead. Try -

$sql="SELECT * FROM `table` WHERE name='".$_SESSION['uname']."' AND
pass='".$_SESSION['pass']."'";

or

$sql="SELECT * FROM `table` WHERE name='{$_SESSION['uname']}' AND
pass='{$_SESSION['pass']}'";
Improve this answer

Comments

0

Most obvious is that this is totally vulnerable to SQL Injection attacks. But ignoring that ...

$sql="SELECT * FROM `table` WHERE name='.$_SESSION['uname'].' AND pass='.$_SESSION['pass'].'";

... should be ...

$sql="SELECT * FROM `table` WHERE name='".$_SESSION['uname']."' AND pass='".$_SESSION['pass']."'";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.