2

First of all this is the first time i try PHP..

here is the code :

<?php
if (isset($_GET['name']) && isset($_GET['password']) 
$uname = $_GET['name'];
$pass = $_GET['password'];
$conn = mysql_connect("localhost","DBusername","DBpassword");
mysql_select_db("DBname",$conn);
$result = mysql_query("SELECT * FROM table WHERE username=$uname and password =$password");
$row  = mysql_fetch_array($result);
if(is_array($row)) {
$ip = $row[ip];
 echo $ip ;
}else {
echo = "Invalid Username or Password!";
}
?>

When i try this link : http://www.mywebsite.com/page.php?name=user&password=mypassword

This is a Hidden page, i use it to get my recorded members IP address, when a user tries to login in my Windows Form application which is written in C#

always get a blank page ..

thanks in advance

Improve this question
3
  • 1
    parsing db user-name and password in url is suicide Commented Mar 24, 2014 at 3:47
  • enable error logging? multiple syntax errors and bad practices Commented Mar 24, 2014 at 4:08
  • Note: You can use isset($_GET['name'], $_GET['password']) instead to clean things up. Commented Mar 24, 2014 at 4:32

2 Answers 2

Reset to default
5

Surround your variables with single quotes and add a die(mysql_error()); at the end as shown.

$result = mysql_query("SELECT * FROM `dvtmembers` WHERE username='$uname' and password ='$pass'") or die(mysql_error());

Warning : Your code is open to SQL Injection attack.

Other Major Errors.

  • It should be $uname not $uanme
  • You have missed a parenthesis after the isset construct
  • You are doing an assignment to the echo statement.

Modified Code

<?php
ini_set('display_startup_errors',1);
ini_set('display_errors',1);
error_reporting(-1);

if (isset($_GET['name']) && isset($_GET['password']))
{
$conn = mysql_connect("localhost","DBusername","DBpassword");
mysql_select_db("DBname",$conn);
$uname = mysql_real_escape_string($_GET['name']);
$pass = mysql_real_escape_string($_GET['password']);
$result = mysql_query("SELECT * FROM table WHERE username='$uname' and password ='$pass'") or die(mysql_error());
$row  = mysql_fetch_array($result);
if(is_array($row)) {
    $ip = $row['ip'];
    echo $ip ;
}else {
    echo "Invalid Username or Password!";
}
}
else { echo "Name and Password was not passed !";}
?>

This(mysql_*) extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Switching to PreparedStatements is even more better to ward off SQL Injection attacks !

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

@Dr.Vision, Have you enabled error reporting ?
Finally Worked, but always get "Invalid Username or Password!" however i type the name and pass correct..
Good. Have you added the single quotes around as shown in the code on the SELECT query ?
and fixed this (and password ='$password') to (and password ='$pass')
Warning: mysql_real_escape_string(): Access denied for user 'myrootnme'@'localhost' (using password: NO) in /home/myrootnme/public_html/mypage.php on line 8 Warning: mysql_real_escape_string(): A link to the server could not be established in /home/myrootnme/public_html/mypage.php on line 8 Warning: mysql_real_escape_string(): Access denied for user 'myrootnme'@'localhost' (using password: NO) in /home/myrootnme/public_html/mypage.php on line 9 Warning: mysql_real_escape_string(): A link to the server could not be established in /home/myrootnme/public_html/mypage.php on line 9
|
2

use single quotes in $row['ip'] and variables also. Your query is vunerable ( SQl Injection) so better use mysql_real_escape_string() for parameters like name , password. 

   <?php
echo "<br/> Outside loop"; 

   if (isset($_GET['name']) && isset($_GET['password']) {
echo "<br/> Inside if loop"; 

    $uname =  mysql_real_escape_string($_GET['name']);
    $pass =  mysql_real_escape_string($_GET['password']);
    $conn = mysql_connect("localhost","DBusername","DBpassword");

if($conn == false ){ echo "Database not connected. DB error. " ; } 
echo "<br/> after connection "; 

    mysql_select_db("Tablename",$conn);
echo "<br/> after db selection"; 

    $result = mysql_query("SELECT * FROM dvtmembers WHERE username= '$uname' and password = '$pass' ") or die(mysql_error());
    $row  = mysql_fetch_array($result);
    if(mysql_num_rows($result) > 0) {
    $ip = $row['ip'];
     echo $ip ;
echo "<br/>final If loop"; 

    }else {
echo "<Br/> final else loop"; 

    echo = "Invalid Username or Password!";
    }
}
else { 

echo "Parameters are not passed" ; 
} 
    ?>
Improve this answer

1 Comment

use this updated code above . and tell me what is the output ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.