0

enter image description hereIf the login detail wrong, system will show "Fail login" Correctly.

But when detail correctly, system will show "C:\Users\Alex\Desktop\OSMAD\8.5\root\Project\test3.php on line 25
Fail login"

Here the PHP text

<?php

    $host = "127.0.0.1";

    $username = "root";

    $password = "usbw";   

    $dbname =  "forum_system";

    // Connect to server
    $connect = mysql_connect($host, $username, $password) 
        or die ("Sorry, unable to connect database server");

    $dbselect = mysql_select_db($dbname,$connect) 
        or die ("Sorry, unable to connect database");

    $Name   = $_POST['Name'];
    $Password = $_POST['Password'];

    $result = mysql_query("select * from users where name = '$Name' and 
        password = '$Password'")
    or die("Sorry, query failed".mysql_error());

    $row = mysql_fetch_array($result);

    if ( $row['Name'] == $Name && $row['Password'] == $Password ) {
        echo "welcome";
    } else {
        echo "Fail login";
    }
?>
Improve this question
5
  • 3
    i advice you to read Safe Password Hashing and How can I prevent SQL injection in PHP? as your current code is prone to SQL injection and Timing attacks because of the check $row['Password'] == $Password. Commented Jun 24, 2019 at 10:23
  • show your table structure with entry Commented Jun 24, 2019 at 10:25
  • Also WHERE ... AND password = '$Password' in the SQL also might be prone to timing attacks if the password column is part of a index.. As databases are designed to return as quick as possibe which is especially the case with indexes.. You need to do SELECT password FROM users WHERE name = 'name ' and then the password_verify() .. Where it does not matter if the column name is indexed as it is safe.. Commented Jun 24, 2019 at 10:34
  • in db all column name seems in lower case and in php u used first latter caps Commented Jun 24, 2019 at 10:37
  • Seems like a delicious script for SQL Injection :P Commented Jun 24, 2019 at 10:39

1 Answer 1

Reset to default
1

Well MySQL table column names are case sensitive. So instead of $row['Name'] and $row['Password'] you should use $row['name'] and $row['password']. So the line: 

if ( $row['Name'] == $Name && $row['Password'] == $Password )

should be replaced with:

if ( $row['name'] == $Name && $row['password'] == $Password )

Also use mysqli or MySQL_PDO instead of mysql functions. The mysql extension has been removed in Php 7.0.0.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.