login help
Results 1 to 3 of 3

Thread: login help

  1. #1
    Junior Member
    Join Date
    Apr 2013
    Posts
    1

    login help

    im having problems with my login feature of a website i am making and is wondering if anyone can help me with it ,

    the code i done so far lets the user log in no matter what they enter- however it is supposed to match what they type to the details stored on the database , even if there is no data in the database to retrieve from it still lets the user log in.

    PHP:
    PHP Code:
    <?php
    session_start
    ();
    //print_r($_POST);
    $Username=$_GET['uname'];
    $Password=$_GET['pw'];

    $conn = new PDO("mysql:host=localhost;dbname:databasename"'username' ,'password');
    if (
    $Username == $sql"SELECT Username FROM Customer"$Password == $sql"SELECT Password FROM Customer")
    {
        
    $_SESSION['input']= true;
        
    //echo '<p>Login Succesfull</p>';
        
    header('location:Members.php');
    } else {
        unset(
    $_SESSION['input']);
         
    //echo '<p>Login Not Succesfull</p>';
         
    header('location:Sign-Registration.html');
    }
    ?>

    html:

    <form name= "input" action="login.php" method="get">
                 <label for="username">Username:</label>
                <input id="username" type="text" name="uname"  /><br/>
                <label for="password">Password:</label>
                <input id="password" type="password" name="pw"  /><br/>
                <input type="submit"  value = "submit"/>
            </form>
    Last edited by bradgrafelman; 04-30-2013 at 01:16 PM. Reason: bbcode tags added

  2. #2
    Member
    Join Date
    Nov 2006
    Posts
    66
    a few quick pointers to maybe set you off in the right direction:
    1. best not to use GET variables for passing sensitive info like usernames & passwords. Better to use POST
    2. it appears in your SQL statements that you are not qualifying your search. When you write "SELECT Username FROM Customer", your results will include ALL usernames from the table 'Customer'. Try something like: "SELECT Username FROM Customer WHERE username = '$Username'" (this goes for the password query as well)
    3. from your code sample, it looks like you may be storing your customers' passwords in plain text which is very bad. Look into the MD5 function of php or other hashing techniques for a better password storage procedure

  3. #3
    Pedantic Curmudgeon Weedpacket's Avatar
    Join Date
    Aug 2002
    Location
    General Systems Vehicle "Thrilled To Be Here"
    Posts
    21,884
    It also looks like you're not sending the queries to the database at all. $conn is created, but nothing is ever done with it. Strings of SQL are created, but the only thing they get used for is to see if the user typed in the same SQL queries.

    See the examples in, for example, pdo.prepared-statements, pdo.prepare and related manual pages for what to do with a PDO database connection.
    THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER
    FAQs! FAQs! FAQs! Most forums have them!
    Search - Debugging 101 - Collected Solutions - General Guidelines - Getting help at all

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •