Member Avatar for new_coder

hi im new in php im trying to create a log-in system but i got an error need your help guys 

THIS IS MY LOGIN PROCESS

<?php
require 'connect.php';

$employeeno = $_POST['employeeno'];
$name = $_POST['name'];

if(isset($_POST['LOGIN']))
{
    $query = "SELECT * FROM tbl_employee_information WHERE employeeno='$employeeno' AND name='$name'";
    $query_run = mysqli_query($query,$db);
    if(mysq_num_rows($query_run)>0)
    {
        $_SESSION['user']=$name;
        header("location:employeeinfo.php");
    }
    else
    {
    }
}
?>

THIS IS MY MAIN PAGE

<form action="log-in_process.php" method="POST"> <div id="body"> <h1>Log-in</h1> <label>ID No:</label><br> <input type="password" name="employeeno"><br> <label>Name:</label><br> <input type="text" name="name"><br> <a><input name="LOGIN"type="submit" value="LOGIN" style="background-color:#32CD32;font-family:ebrima;color
            :white;border-radius:5px;margin-left:105px;margin-top:20px;height:30px;width:100px;"></a> </div> </form>
  • 2 Contributors
  • 3 Replies
  • 343 Views
  • 2 Hours Discussion Span
  • Latest Post Latest Post by cereal
Member Avatar for cereal

Hi,

this mysq_num_rows() does not exists, you may want to use:

http://php.net/mysqli_num_rows

A part that, don't forget to use prepared statements, otherwise sooner or later you may receive a visit from Bobby Tables.

Member Avatar for new_coder

really appreciate your answer but what i am exactly gonna do

Member Avatar for cereal

Right now, change line 13 to:

if(mysqli_num_rows($query_run)>0)

There is also another error here:

$query_run = mysqli_query($query,$db);

The first argument of the function must be the link to the database, the second the query statement. So:

$query_run = mysqli_query($db, $query);

Regarding prepared statements you have to change the approach and use the MySQLi Prepared Statement class. You can find the documentation here:

So, define the query to perform:

$query = "SELECT * FROM `tbl_employee_information` WHERE `employeeno` = ? AND `name` = ?";

Instead of writing variables directly inside the query string, replace them with placeholders and bind the parameters through the bind_param() function.

MySQLi allows procedural and object oriented styles.

Procedural style:

$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'is', $empNo, $name);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);

if(0 < mysqli_stmt_num_rows($stmt))
{
    # code
}

mysqli_stmt_free_result($stmt);

The object oriented style looks like:

$stmt = $db->prepare($query);
$stmt->bind_param('is', $empNo, $name);
$stmt->execute();
$stmt->store_result();

if(0 < $stmt->num_rows)
{
    # code
}

$stmt->free_result();

The is stands for i integer, s string, for the $empNo and $name variables. You can find which types you can define, inside the bind_param() function documentation.

A word on $empNo and $name, you are currently using $_POST, use filter_input(), instead, as you can sanitize the input:

$empNo = filter_input(INPUT_POST, 'employeeno', FILTER_SANITIZE_NUMBER_INT);
$name = filter_input(INPUT_POST, 'employeeno', FILTER_SANITIZE_STRING);

The docs about the filters:

Bye!

commented: Excellent, as usual. +15
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.