Need to check MySQL database and after validations log in

Question

I need to get admin name and password .Then need to compare the user input with MySQL using php. If the database is validated I should log in him to next page. how to write php functions to access MySQL, after checking with database if the validations are OK. I should log-in him.

My html code for design:

  <?php

    ?>
    <!DOCTYPE HTML>

    <head>
        <title>Login Page</title>
        <link rel="stylesheet" type="text/css" href="css/home.css">
        <script src="js/home.js">   </script>
    </head>
    <body>
        <form  action="validate_login.php" method="post">
        <div>
            <div class="layout">
                <div class="heading"></div>
                <div class="img1"></div>
                <div class="login">
                    <div class="logo"></div>
                    <div >  <label class="AdminName">Admin Name</label> <input type="text" name="AdminName" value="AdminName" id="AdminName"/></div>
                    <div > <label class="Password">Password</label> <input type="password" name="Password" value="Password" id="Password" /></div>
                    <input type="button" button onclick='window.location="menu.php"' name="Login" id="login" value="LOGIN"/>
                    <input type="button" name="Login" id="cancel" value="cancel"/></form>
                </div>
                <div class="img2"></div>
            </div>

        </div>
    </body>

My php code to access database:

 <?php

    // Grab User submitted information
    $AdminName = $_POST["AdminName"];
    $Password = $_POST["Password"];

    // Connect to the database
    $con = mysql_connect("localhost","admin","admin@123");
    // Make sure we connected succesfully
    if(! $con)
    {
        die('Connection Failed'.mysql_error());
    }

    // Select the database to use
    mysql_select_db("admin_data",$con);

    $result = mysql_query("SELECT AdminName, Password FROM admin_info WHERE AdminName = $AdminName");

    $row = mysql_fetch_array($result);

    if($row["AdminName"]==$AdminName && $row["Password"]==$Password)
        echo"You are a validated user.";
    else
        echo"Sorry, your credentials are not valid, Please try again.";
    ?>

If you use that code then anyone will certainly be able to log in. Or delete your database if they prefer. `mysql_*` functions are deprecated because they are insecure. You should read about SQL Injection - (http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Beyond that I can't tell what you're asking. Does this code not work as expected? — Cfreak, Mar 14 '14 at 04:18
@user3317807,Look there are many errors that you have to rectify..Simple one is to add quotes for for select query like '$AdminName' . to make it more simple take the result(after while) set in another variable ,then compare..Check GOOGLE.YOU HAVE MANY SCRIPTS for this — codelover, Mar 14 '14 at 04:22
Sidenote: This line `WHERE AdminName = $AdminName` needs to be `WHERE AdminName = '$AdminName'` --- `$AdminName` needs to be wrapped inside quotes, otherwise it will be treated as an integer; which is most likely the reason it's not working. — Funk Forty Niner, Mar 14 '14 at 04:25
Sidenote # 2: Don't store passwords in plain text. The way you're going now, you're going to be setting up a whole new DB once you go LIVE along with a new DB password. — Funk Forty Niner, Mar 14 '14 at 04:38
mysql extension has been deprecated, why you still using it, its not good for future. — Muhammad, Mar 14 '14 at 05:02

score 3 · Answer 1 · answered Mar 14 '14 at 04:30

3

Try With

$result = mysql_query("SELECT AdminName, Password FROM admin_info WHERE AdminName = '".mysql_real_escape_string($AdminName)."' AND Password = '".mysql_real_escape_string($Password)."'");

answered Mar 14 '14 at 04:30

Laukik Patel

753
7
18

dhidy · Answer 2 · 2014-03-14T04:43:06.897

0

just use

$result = mysql_query("SELECT AdminName, Password FROM admin_info WHERE AdminName = '".mysql_real_escape_string($AdminName)."' AND Password = '".mysql_real_escape_string($Password)."'");
if(mysql_num_rows($result) > 0)
    echo"You are a validated user.";
else
    echo"Sorry, your credentials are not valid, Please try again.";

because you has validate on :

$result = mysql_query("SELECT AdminName, Password FROM admin_info WHERE AdminName = '".mysql_real_escape_string($AdminName)."' AND Password = '".mysql_real_escape_string($Password)."'");

so if mysql_num_rows($result) not null or not false, just login the user in.

note : mysql_* functions are deprecated because they are insecure.

edited Mar 14 '14 at 04:43

answered Mar 14 '14 at 04:32

dhidy

342
1
3
10

Sidenote: This will fail. If you get a downvote, it will **not** have come from me. Double check your code. You should also be using `mysql_num_rows()` not just `if($row)` – Funk Forty Niner Mar 14 '14 at 04:33
thanks for your advice Fred – dhidy Mar 14 '14 at 04:42

SagarPPanchal · Answer 3 · 2014-03-14T04:42:28.987

-1

Use this query instead your,

$result = mysql_query("SELECT AdminName, Password FROM admin_info WHERE AdminName = '".mysql_real_escape_string($AdminName)."' and Password = '".mysql_real_escape_string($Password)."'");

authorize here

if(mysql_num_rows($result) > 0){
  //your redirection to inner page
}else{
  // invalid loggin
}

edited Mar 14 '14 at 04:42

answered Mar 14 '14 at 04:30

SagarPPanchal

9,252
6
32
60

Sorry mate, although your suggestion might work but your query is vulnerable to SQL injection. @Laukik is using mysql_real_escape_string which is much safer. But preferably you should use PDO to execute PHP queries. – Ruben Mar 14 '14 at 04:34

Need to check MySQL database and after validations log in

3 Answers3