sql - mysql_query() error in PHP form -
so use program in php own way , told me start using way. of course caused me few mistakes. code:
<?php function signin() { $con = mysqli_connect('localhost','root','avi1574','test'); if (mysqli_connect_errno()) { echo "failed connect mysql: " . mysqli_connect_error(); } session_start(); if(!empty($_post['user_w'])) { $query = mysql_query($con, "select * `users` `user` = '$_post[user_w]' , password = '$_post[pass_w]'") or die(mysql_error()); $row = mysql_fetch_array($query) or die(mysql_error()); if(!empty($row['user']) , !empty($row['password'])){ $_session['user_w'] = $row['password']; echo "logged in."; } else{ echo "sorry, wrong password."; } }} if(isset($_post['submit'])){ signin(); } ?> <h1>my login page</h1> <form action="tsql.php" method="post" > <input type="text" name="user_w" size="20"></input> <input type="password" name="pass_w" size="20"></input> <button type="submit" name="submit">sumbit</button> </form> when submit form following error: warning: mysql_query() expects parameter 1 string, object given in test-main/htdocs/test/tsql.php on line 10
line 10 is: $query = mysql_query($con, "select * fromuserswhereuser= '$_post[user_w]' , password = '$_post[pass_w]'") or die(mysql_error());
thank in advance!
many bad practice in there, let me point out few things.
$_post[pass_w] this doesn't work pass_w not constant. see this article. must use quotes index: $_post['pass_w'].
you open sql injection , should use prepared statements.
you can't mix mysqli , mysql. don't use mysql_ functions, not secure , deprecated.
to error message, trying put resource mysql_query function expects query string, select.... must switch parameters.
when doing selects password , username, ensure case sensitivity using binary , put limit 1 @ end, ensure 1 record in return.
select * ... binary username = ... limit 1 also use hashing function (not sha1 , not md5 please :-) password, salt!
Comments
Post a Comment