php login help

Wales

I'm trying to use a login form to call the user and password from a database. Can't seem to get it. I know my codes I'm using are vulnerable to attacks, but I'm just learning and will expand on this code. Thanks.

<?php
include ("db/connect.php");

$username = mysql_query(SELECT user FROM users WHERE (username = $_POST['username']) );
$password = mysql_query(SELECT password FROM users WHERE (password = $_POST['password']) );

if ( isset($_POST['submit'])) {
	if ( (!empty($_POST['username'])) && (!empty ($_POST['password'])) ) {
		if ( ($_POST['username'] == '$username') && ($_POST['password'] == '$password') ) {
		echo ('Welcome');
		} else { 
		echo ('Try Again');
		}
	} else {
	echo ('Make sure you enter both username and password.');
	}
} else {
echo ('<form action="login.php" method="post">
		Username <input type="text" name="username" size="20" /> <br />
		Password <input type="password" name="password" size="20" /> <br />
		<input type="submit" name="submit" value="Go" />
		</form>
		');
}
?>

Trying to use that to retrieve the data but getting an error.

$username = mysql_query(SELECT user FROM users WHERE (username = $_POST['username']) );
$password = mysql_query(SELECT password FROM users WHERE (password = $_POST['password']) );

joe_C_nice

Try this.

$username = mysql_query("SELECT user FROM users WHERE username = '".$_POST['username']."'" );
$password = mysql_query("SELECT password FROM users WHERE password = '".$_POST['password']."'" );

Wales

Uhmm doesn't seem to be getting the info.

bradgrafelman

Well that's because you've got a few problems:

You're using [man]mysql_query/man twice, but that doesn't give you any data (only a "resource": [man]language.types.resource[/man]).
Even if you did get data into $username, your if() statement isn't comparing the data in $_POST['username'] to the value retrieved; instead, your if() statement is comparing the POST'ed data with the string '$username'. Variables aren't interpreted in single-quoted strings. Then again, why add quotes at all if you're simply specifying a variable?
Just as in PHP, strings must be quoted in SQL queries. Thus, you need to add single quotes around the given username/password strings in the queries.
You're making it much more complicated than it needs to be; execute one single SQL query to SELECT data from the table that you need using both the username and password POST'ed in the WHERE clause. If a row is returned, then they specified valid credentials.

Note that you could also add a 'LIMIT 1' onto the (single) new query since you're only expecting either 0 or 1 rows (does 'user' have a UNIQUE index on it in your table?). Also note that if you don't presently have any extra info in the DB that you need to use, you could simply do a 'SELECT 1' or something arbitrary like that so that you can use [man]mysql_num_rows/man to see if a row was returned or not.
Wales wrote:
I know my codes I'm using are vulnerable to attacks, but I'm just learning and will expand on this code.
Ah, but why learn something the wrong way only to have to re-learn the right way later? 😉

EDIT: Just as a sidenote, note that it's not considered a good practice to store passwords in plaintext form. Instead, consider using a decent hashing algorithm (e.g. SHA1), perhaps even with a salt.