PHP Login System Error

Question

I'm trying to create a login system but for some reason there is a error in my code and I can't seem to figure out what it is.

    <?php
include "connect.php";
?>

<body>
<?php
if(isset($_POST['submit'])){
$username = $_POST['email'];
$password = $_POST['password'];

$result = mysql_query($con,"SELECT * FROM users WHERE username=$username AND password=$password");
$num = mysql_num_rows($result);
if($num == 0){
echo "Bad login, go <a href='login.php'>back</a>.";
}else{
session_start();
$_SESSION['username'] = $username;
header("Location: index.php");
}
}
?>

    <div class="container">
      <form action='signin.php' method='POST' class="form-signin" >
        <h2 class="form-signin-heading">Please sign in</h2>
        <input type="text" class="input-block-level" placeholder="Email address" name="email">
        <input type="password" class="input-block-level" placeholder="Password" name="password">
        <label class="checkbox">
          <input type="checkbox" value="remember-me"> Remember me
        </label>
        <button class="btn btn-large btn-primary" type="submit" name="submit" value="Login">Sign in</button>
      </form>

These are the errors on submit:

Warning: mysql_query() expects parameter 1 to be string, object given in C:\xampp-portable\htdocs\bootstrap\signin.php on line 71

Warning: mysql_num_rows() expects parameter 1 to be resource, null given in C:\xampp-portable\htdocs\bootstrap\signin.php on line 72
Bad login, go back.

At least ***describe*** the symptoms of the problem! Wild guess: http://stackoverflow.com/questions/8028957/headers-already-sent-by-php — deceze, Mar 31 '13 at 10:36
You're also wide open to SQL injection and you're using a deprecated database API. — deceze, Mar 31 '13 at 10:37
[**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). — tereško, Mar 31 '13 at 10:38

Nik Drosakis · Answer 1 · 2013-03-31T10:49:01.483

2

1) You confuse mysql & mysqli query. It is

$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
and
$result = mysqli_query($con,"SELECT * FROM users WHERE username='$username' AND password='$password'");

2) This code is very dangerous of sql injection. You need to sanitize it before use it formally. 3)

for the success case, set a session id sth like that: $session_id = session_id(); 
reverse that:
$username=$_SESSION["username"]; 
and use both variables in redirection:
header ("Location: index.php?username=$username&session_id=$session_id");

edited Mar 31 '13 at 10:49

answered Mar 31 '13 at 10:39

Nik Drosakis

2,258
21
30

Still doesn't fix my problem. – Noah R Mar 31 '13 at 10:41
after 3) there are still some things, don't hesitate to ask – Nik Drosakis Mar 31 '13 at 10:52
1

mysql_real_escape_string is deprecated and will be removed in the future php versions. Prefer mysqli_real_escape_string() OR PDO::quote(). As you started with mysqli query it is a nice choice. – Nik Drosakis Mar 31 '13 at 10:56

PHP Login System Error

1 Answers1