login help

ezzyez

im having problems with my login feature of a website i am making and is wondering if anyone can help me with it ,

the code i done so far lets the user log in no matter what they enter- however it is supposed to match what they type to the details stored on the database , even if there is no data in the database to retrieve from it still lets the user log in.

PHP:

<?php
session_start();
//print_r($_POST);
$Username=$_GET['uname'];
$Password=$_GET['pw'];

$conn = new PDO("mysql:host=localhost;dbname:databasename", 'username' ,'password');
if ($Username == $sql= "SELECT Username FROM Customer"& $Password == $sql= "SELECT Password FROM Customer")
{
    $_SESSION['input']= true;
    //echo '<p>Login Succesfull</p>';
    header('location:Members.php');
} else {
    unset($_SESSION['input']);
     //echo '<p>Login Not Succesfull</p>';
     header('location:Sign-Registration.html');
}
?>

html:

<form name= "input" action="login.php" method="get">
			 <label for="username">Username:</label>
			<input id="username" type="text" name="uname"  /><br/>
			<label for="password">Password:</label>
			<input id="password" type="password" name="pw"  /><br/>
			<input type="submit"  value = "submit"/>
		</form>

sandthipe

a few quick pointers to maybe set you off in the right direction:
1. best not to use GET variables for passing sensitive info like usernames & passwords. Better to use POST
2. it appears in your SQL statements that you are not qualifying your search. When you write "SELECT Username FROM Customer", your results will include ALL usernames from the table 'Customer'. Try something like: "SELECT Username FROM Customer WHERE username = '$Username'" (this goes for the password query as well)
3. from your code sample, it looks like you may be storing your customers' passwords in plain text which is very bad. Look into the MD5 function of php or other hashing techniques for a better password storage procedure

Weedpacket

It also looks like you're not sending the queries to the database at all. [font=monospace]$conn[/font] is created, but nothing is ever done with it. Strings of SQL are created, but the only thing they get used for is to see if the user typed in the same SQL queries.

See the examples in, for example, [man]pdo.prepared-statements[/man], [man]pdo.prepare[/man] and related manual pages for what to do with a PDO database connection.