0

i trying to verify the username and password in the data before allowing the user entry. this is my code. the results is that it skips and goes to the else statement

if(!empty($_POST['username']) && !empty($_POST['code']))
{

    $checkcode = mysql_query("SELECT * FROM members WHERE Username = '".$username."' AND Code  = '".$code."'");

    if(mysql_num_rows($checkcode) == 1)
    // $row = mysql_fetch_array($checkcode);
    {

        header("Location: home.php");

    }
    else
    {
        echo "<h1>Error</h1>";
        echo "<p>Sorry, your account could not be found. Please <a href=\"index.php\">click here to try again</a>.</p>";
    }

}
mayon
  • 1
  • 1
  • Have you tried the query on phpmyadmin or similar? That said, mysql_query is unsafe, please use mysqli or pdo libraries and do not use user input without cleaning those data. – Marco Mura Feb 27 '15 at 15:29
  • You are testing `$username`, this variable was not assigned: `$username = $_POST['username'];` before testing it. Please also note that your code is highly vulnerable to SQL injections. –  Feb 27 '15 at 15:29
  • 1
    Please, before putting any kind of PHP code in production, read this (question and first answer): http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Philippe Plantier Feb 27 '15 at 15:30
  • and what happens when you uncomment that left curly brace after if clause? – n-dru Feb 27 '15 at 15:31

1 Answers1

0
  1. Fix your formatting :)
  2. I don't see you assigning $_POST['username'] to $username variable, same with $code.
Mateusz Majewski
  • 280
  • 1
  • 10