Page 1 of 1

PHP Mysqli login form - Help

Posted: Sat Feb 15, 2014 9:37 am
by Jpergega
Hi I am trying to build a login form for my website but the code is keep giving me error I have made them bold:

<?php
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{
//connect to database
$con=mysqli_connect("localhost","root","","") or die();
//execute query
$query ="SELECT Username, Password from `useraccount` where Username= '$_POST[Username]'and Password='$_POST[Password]'";
$result= \mysqli_query($query);
while($row = mysqli_fetch_array($result))
{
if($_POST['Username']==$row['Username'] && $_POST['Password']==$row['Password'])
{

header("Location:account.php");
}
else
{
echo "You got credentials wrong";
}
}

}

?>

Also is it correct if I put the code below in the account.php?
<?php

session_start();

echo "Welcome ". $_SESSION['username'];

?>
<?php

session_destroy();

header("Location:login.php");

?>

Re: PHP Mysqli login form - Help

Posted: Sat Feb 15, 2014 10:06 am
by Celauran
Take some time to look through the MySQLi documentation

Code: Select all

$con=mysqli_connect("localhost","root","","") or die();
Here you're telling it to connect to localhost as root with no password (!) and you to use no database. You really need to specify that fourth argument before anything is going to work.
http://ca1.php.net/manual/en/mysqli.construct.php

Code: Select all

$query ="SELECT Username, Password from `useraccount` where Username= '$_POST[Username]'and Password='$_POST[Password]'";
You're passing unsanitized user data directly into your query. This will end in tears. Either escape your inputs or, better still, use prepared statements. This also suggests you're storing passwords in plain text, which you really shouldn't be doing. Hash your passwords before storing them. When a user tries to log in, hash the password they provided and compare the hashes.

Code: Select all

$result= \mysqli_query($query);
mysqli_query requires two arguments; the connection to use, and the query to run, in that order. You're only providing one argument.
http://ca1.php.net/manual/en/mysqli.query.php
but the code is keep giving me error
In future, please post the errors you're getting. It makes troubleshooting these things much easier.