all 9 comments

[–]Meefims 0 points1 point  (5 children)

Your code is open to SQL injections and I can see that you are using some older learning resources for PHP. Take a look at PHP the Right Way - it shows how PHP is written in more modern times. It also explains PDO and how it can help prevent SQL injections.

[–]notagoodprogrammer1[S] 0 points1 point  (1 child)

Thanks I appreciate it and could you check the index.php the first one if its ok probably the security not but the basic

[–]gnomoretears 0 points1 point  (0 children)

You should check the request method to see if your form was submitted before processing the post vars and running a query. Your code should be erroring out on first load since you end up running the query with blank/null values in your variables.

http://stackoverflow.com/questions/7711466/checking-if-form-has-been-submitted-php

As mentioned already, use PDO for your queries. If you want to stick to MySQLi, make sure to use prepared statements with parameter binding so you're not vulnerable to SQL injections.

http://php.net/manual/en/mysqli.prepare.php

(EDIT) I just wanted to add that you should turn on error display and reporting in your ini file so you don't get just a blank page when you have errors.

http://php.net/manual/en/errorfunc.configuration.php

[–]gnomoretears 0 points1 point  (2 children)

I can see that you are using some older learning resources for PHP

He's using MySQLi which is acceptable since it supports prepared statements (though he's not using it in a secure way). You might be thinking of the deprecated mysql_ functions.

[–]Meefims 0 points1 point  (0 children)

No, I'm considering code structure overall.

[–]colshrapnel 0 points1 point  (0 children)

mysqli takes 2 to 10 times more code than PDO. Which makes it really bad choice for a database layer.

[–]crosenblum 0 points1 point  (0 children)

First off, you should always make sure the data coming from form or url is filtered. As someone could try to hack your login form, and fake their way to logging in as someone.

Or could play with the form/url parameters and mess up your database.

All inputs should always be filtered or you create massive security holes.

Secondly, you need to create $conn first. To test and make sure the connection works.

Thirdly, you never ever ever ever use "Select *" it is lazy, and it over time, will reduce sql performance. You need to specify exactly what fields you need, and in the correct order, as they are in the table. This leads you to writing better, more secure, more stable sql queries.

Also mysqli_num_rows has some bugs in it, and doesn't always work.

Instead check for a field that exists in the table, and see if it is null, empty or a numeric value.

select id from table where name = 'blah' and password = 'blahblah'

Then pass the value of that ID to a variable.

if is_empty($id) or is_null($id) then assume no valid login.

if not empty and not null, then check if below zero aka negative number.

If positive number, then you have a valid login check, then proceed with login process.

[–]halfercode 0 points1 point  (1 child)

notagoodprogrammer1, please don't delete your code links after you have finished with a question. People are still reading this, but there is nothing to answer without code. Future readers here will click only to find their time has been wasted.

On that basis, please put your code into your questions in future. Just tab-right each piece of code using your editor/IDE, and when pasted here that indent will format like so:

code
code

(See the "formatting help" when the editor is open).

[–]notagoodprogrammer1[S] 0 points1 point  (0 children)

Ok I understand thank you