php connection to database via login page

Question

I'm quite new to php so please forgive me for newb code, a lot more used to ASP.net though I'm required to use php, currently I have php page connecting to the database if successful stores the values into a cookie though throws these errors message due to incorrect string

Warning: Illegal string offset 'Member_Username' in C:\xampp\htdocs\awm\includes\login.php on line 10

Warning: Illegal string offset 'Member_Password' in C:\xampp\htdocs\awm\includes\login.php on line 10

Notice: Trying to get property of non-object in C:\xampp\htdocs\awm\includes\login.php on line 13

Here is my code:

<?php

try
{
    $Username = $_POST['Username'];
    $Password = $_POST['Password'];

    $con = mysqli_connect('localhost','root','Password','Letting');

    $query = "SELECT Member_Id, Member_Firstname, Member_Surname FROM Members WHERE Member_Username = '" . $Username['Member_Username'] .  "' AND Password = '" . $Password['Member_Password']. "'";
    $result = $con->query($query);

    if($result->num_rows)
    {
        $row = $result->fetch_assoc();

        $_SESSION['MemberId']=$row['Member_Id'];
        $_SESSION['Firstname']=$row['Member_Firstname'];
        $_SESSION['Surname']=$row['Member_Surname'];

        if(isset($_POST['RememberMe']))
        {
            setcookie('login',$row['Member_Id'],time() +60*60*60*24*7);
        }
        else
        {
            $msg = 'Login failed';
        }       
    }
}
catch(Exception $e)
{
    echo $e->errorMessage();
}   
?>

Answer 1

Assuming these variables are strings:

$Username = $_POST['Username'];
$Password = $_POST['Password'];

Calling/treating them as arrays with using indices will surely fire that Illegal string offset error. Which is this line:

$query = "SELECT Member_Id, Member_Firstname, Member_Surname FROM Members WHERE Member_Username = '" . $Username['Member_Username'] .  "' AND Password = '" . $Password['Member_Password']. "'";

And as MySQLi already supports prepared statements, why not utilize them instead, because as of right now, you are vulnerable to SQL injection. I wouldn't add the solution which directly concatenates $Username and $Password but I'll give rough example on prepared statements instead:

$query = 'SELECT Member_Id, Member_Firstname, Member_Surname 
        FROM Members 
        WHERE Member_Username = ? 
        AND Password = ?';

$select = $con->prepare($query);
$select->bind_param('ss', $Username, $Password);
$select->execute();

if($select->num_rows > 0) {
    // rest of codes
}

Sidenote: It seems you're saving plain naked passwords, if its available to you (PHP 5.5 or greater), I'd suggest you should use password_hash + password_verify to handle your login module for hashing those passwords. If you have PHP 5.4 or lower and can't use the built-in, there's already a compatibility pack library for that.

Answer 2

Try this

$query = "SELECT Member_Id, Member_Firstname, Member_Surname  
FROM Members WHERE Member_Username = '" . $Username .  
"' AND Password = '" . $Password. "'";