0

First of all. I'm new to both PHP/SQL and StackOverflow, so I'm sorry if my post is weird. I'm having a hard time figuring out what is wrong with my code. I have registered several users (each with a password ofc), but i only get login failed. Is it my if that is wrong?

Thank you.

<?php

session_start();

    //Connecting and choosing DB
    $connection = mysql_connect("link", "user", "pw");           
    mysql_select_db("user", $connection); 

    $username = mysql_real_escape_string($_POST['brukernavn']);
    $password = mysql_real_escape_string($_POST['passord']);


    // Check the users input against the DB.
    $sql = "SELECT * FROM brukere WHERE brukernavn = '$username' AND passord = '$password'";
    $result = mysql_query($sql) or die ("Unable to verify user because " . mysql_error());

    $row = mysql_fetch_assoc($result);

    if($row['total'] == 1)

    {
        $_SESSION['loggedIn'] = "true";
        header("Location: insertlink");
    }
    else
    {
        $_SESSION['loggedIn'] = "false";
        echo "<p>Login failed, username or password incorrect.</p>";
    }

?>
Improve this question
5
  • I know you said you're new to PHP/MySQL, so I recommend starting off right and NOT using the mysql_* functions. Look at mysqli or PDO (the latter being my personal preference). We would also need to see your registration code. Are you encrypting passwords when you save them? Commented Oct 2, 2014 at 23:04
  • 4
    1. mysql_* is deprecated, use mysqli_ or PDO. 2. You're storing clear-text passwords in your database, which is very bad. Commented Oct 2, 2014 at 23:04
  • @lxg - I wish I could give that about a 100 upvotes... Commented Oct 2, 2014 at 23:12
  • @rar Thanks! I'll check them out. Is this my registration code then? $username = mysql_real_escape_string($_POST['nyttbrukernavn']); $password = mysql_real_escape_string($_POST['nyttpassord']); if(!isset($username) || trim($password) == '') { echo "Fyll ut de nødvendige feltene."; } else{ $sql="INSERT INTO brukere (brukernavn, passord) VALUES ('$username', '$password')"; Commented Oct 2, 2014 at 23:13
  • Yep, that's the insert statement. It looks like you're not encrypting the passwords (which you should be), so that doesn't answer why the login failed. Upon closer inspection, though, it looks like lxg pointed out the correct thing - there's no $row['total'], so it will automatically fail that conditional check. Commented Oct 3, 2014 at 2:44

1 Answer 1

Reset to default
3

There is no total field in the array returned by mysql_fetch_assoc().

If you want to know the number of results, use the count function:

if(count($rows) === 1)
…

Btw, as already mentioned:

  1. mysql_* is deprecated, use mysqli_* or PDO.
  2. You're storing clear-text passwords in your database, which is very bad. Please read about hashing and salting stored passwords.
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

php documentation on password encryption
@lxg Thank you so much, sir! I'm going to check out mysqli_ and PDO.
nice link @gloomy.penguin. Didn't know that PHP has a dedicated article about this.
@JonHåvardHalvorsen: You're welcome. You will find mysqli to be more similar to the deprecated mysql (meaning that it may be easier to update mysql_* code to mysqli_*), while PDO is more "object oriented". In any case, you should use prepared statements instead of manually escaping data input. (which at least you do, others don't even care about that. ;))

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.