PHP Loging form mysql and bootstrap style gives Error

Question

i am working on a simple log in from without any session, here is my PHP code:

<?php

  $mysqli = new mysqli( 'localhost', 'cshrnaf_user2', '=cXlIBsdMkdr', 'cshrnaf_mis_db' );

if (isset($_POST['Username'])) {
        $sql = "SELECT * FROM user WHERE email= '{$mysqli->real_escape_string($_POST['Username'])}'  AND password= '{$mysqli->real_escape_string($_POST['Password'])}'  LIMIT 1";
        $res = mysql_query($sql);
        if (mysql_num_rows($res) == 1) {
            echo "YOu have log in";
            exit();
        } else {
            echo "not log in";
            exit();
        }
}
?>

and my Bootstrap code:

</head>
<body class="gray-bg">
    <div class="middle-box text-center loginscreen animated fadeInDown">
        <div>
            <h3>Welcome</h3>
            <p>Login to your account.</p>
            <form method="post" class="m-t" role="form">
                <div class="form-group">
                    <input type="email" class="form-control" name=Username required="">
                </div>
                <div class="form-group">
                    <input type="password" class="form-control" name=Password required="">
                </div>
                <button type="submit" class="btn btn-primary block full-width m-b">Login</button>
            </form>
        </div>
    </div>
    </body>
</head>

it gives me 3 error:

Warning: mysql_query(): Access denied for user ''@'localhost' (using password: NO) in /home/cc/public_html/MIS_cc/login.php on line 7

Warning: mysql_query(): A link to the server could not be established in /home/cc/public_html/MIS_cc/login.php on line 7

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /home/cc/public_html/MIS_cc/login.php on line 9 not log in

Answer 1

For your coding change it to this:

<?php

if (isset($_POST['Username'])) {
    $sql = "SELECT * FROM user WHERE email= '{$mysqli->real_escape_string($_POST['Username'])}'  AND password= '{$mysqli->real_escape_string($_POST['Password'])}'  LIMIT 1";
    $res = mysqli_query($mysqli , $sql); // Edited this line
    if (mysqli_num_rows($res) == 1) { //Edited this line
        echo "YOu have log in";
        exit();
    } else {
        echo "not log in";
        exit();
    }
}
?>

However you really should consider using prepared statements as escaping the string is not enough to protect yourself against sql injection.

Example of using prepared statements using your code:

<?php

if(isset($_POST['Username'])) {
    $username = $mysqli->real_escape_string($_POST['Username']);
    $password = $mysqli->real_escape_string($_POST['Password']);

    // Wrapping the prepared statement in an IF so if the sql statement is wrong it will return false and allows for error handling.
    if ($stmt = $mysqli->prepare("SELECT * FROM user WHERE email = ? AND password = ? LIMIT 1")) {

        // Bind the above $username and $password to the prepared query
        $stmt->bind_param('ss', $username, $password);

        // Execute the prepared query.
        $stmt->execute()

        // Store result of prepared statement
        $stmt->store_result();

        if ($stmt->num_rows == 1) { 
            echo "You have logged in.";
            exit();
        } else {
            echo "Log in failed.";
            exit();
        }
        $stmt->close();
    }
}