<?php include "db/config.php";?>
<?php
function loginCheck($username,$password) 
{
$sql=mysql_query("select UserId, UserName, Password from user_login where UserName= '$_POST[username]' and Password= '$_POST[password]'");
$name=$sql['UserName'];
//echo"hi".$name;
//select * from user_login where UserName='mownam' and Password='welcome'

                $result =mysql_query($sql);
                //$uname=$_REQUEST["username"];
                if(mysql_num_rows($result) > 0)
                {

                echo "<center>successfully logged<br />".$uname;
                }
                else
                 {
                ?><div align="center" style="background-color: #FFFFCC"style="font:"Courier New" , Courier, monospace" style="font:message-box " style="font-size:10px" 
                id="loginerror"><strong>Invalid Username password</strong></div>
                <?php }


}
function insertValues($username,$password) {
 $sql=mysql_query("INSERT INTO user_login (UserId, UserName,Password, add_rights, update_rights,view_rights,delete_rights) VALUES ('','$_POST[username]','$_POST[password]','','','','')");
 echo "ok";
}

function updateValues($username,$password) {
 $sql=mysql_query("update person set  dob='$c', password='$b' where username='$username'");
}

function deleteValues($username) {

 $sql=mysql_query("delete from person where  username='$a'");
}

?>

help me to find out error in above coding..thanks

$sql=mysql_query("Select UserId, UserName, Password FROM user_login Where UserName= '".$_POST['username']."' and Password= '".$_POST['password']."'");

This is correct written..
How ever are you sure there are POSTs ? if its function perhaps there should be $username an $password (values from the function vars) not POSTs ..

use

$query="Select UserId, UserName, Password FROM user_login Where UserName= '".$_POST['username']."' and Password= '".$_POST['password']."'";
echo $query;
$sql=mysql_query($query) or die(mysql_error());

at least you get some more info

$result =mysql_query($sql);, is not valid. Due to your post, $sql is mysql resource, not a string (mysql command). Perhaps, it should be:

$sql = "SELECT `UserId`, `UserName`, `Password` FROM `user_login` WHERE `UserName` = '" . $_POST['username'] . "' AND Password= '" . $_POST['password'] . "'";
$result = mysql_query($sql);

Note:
- Use UPPERCASE for mysql syntax such (SELECT, INSERT, DELETE, UPDATE)
- Use CODE tag to wrap the codes you want to post.

Member Avatar for diafol

EEK. Don't ever, ever use unclean $_POST variables in your SQL. Always clean them with something like mysql_real_escape_string().

This is a good explanation as to why: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

It's a good idea to echo your sql, copy and paste it to phpmyadmin or your favourite MySQL GUI and see what it gives you.

ardav is right; you really must be careful when accepting user generated $_POST/$_GET/$_REQUEST variables.

This looks like a portion of a login script, so I hope my code helps. This script also converts the password to an md5 string (more secure and good practice). The password row is set to varchar in the mysql database.

Instead of pulling all the db rows on the user, it counts to make sure the user exists ($rowCheck > 0) and then proceeds (valid login).

'login.php'

<?php 
include('config.php'); //holds db information and begins with session_start();

 if(isset($_POST['username'])) {
 	$username = mysql_real_escape_string($_POST['username']);
 }
 
 if(isset($_POST['password'])) {
 	$password = mysql_real_escape_string($_POST['password']);
 }
 
 $password = md5($password);
 
$sql = "SELECT COUNT(*) FROM `users` WHERE username = '$username' AND password = '$password'";

$result=mysql_query($sql);

//check that at least one row was returned

$rowCheck = mysql_result($result, 0);

if($rowCheck > 0) {

	$_SESSION['username'] = $username;

header ("Location: index.php");

  //we will redirect the user to another page where we will make sure they're logged in

  } else {
  //if nothing is returned by the query, unsuccessful login code goes here...

  echo 'Incorrect login name or password. Please try again.<br>';

  echo "$username - $password";

  } 

?>
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.