Fail Login Using PHP and MYSQLI

Question

i tried to look on any other website including here but found no solution

$result = null;
$sql = null;

if (isset($_POST['emails'])) {
$emails = $_POST['emails'];
}

if (isset($_POST['pwd'])) {
$passwords = $_POST['pwd'];
}

$conn = mysqli_connect("127.0.0.1","root","","proyektekweb");

if (!$conn) {
echo "Error: Unable to connect to MySQL." . PHP_EOL;
echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
exit;
}

if (isset($_POST['emails']) && isset($_POST['pwd'])) {
$sql = "SELECT * from user where email = '$emails' AND password = '$passwords'";
}

$result = mysqli_query($conn,$sql);

if (!$result) {
printf("Error: %s\n", mysqli_error($conn));
exit();
}

$row = mysqli_fetch_array($result);
if ($row['email'] == $emails && $row['password'] == $passwords){
    echo "Login sukses Welcome".$row['email'];
}else{
    echo "Failed to login";
}

?> and i got this error: Warning: mysqli_query(): Empty query in E:\XAMPP\htdocs\proyektekweb\login.php on line 27

If `if (isset($_POST['emails']) && isset($_POST['pwd'])) {` fails `$sql` is undefined. — Saty, May 11 '17 at 09:24
Your code looks vulnerable to SQL Injections. Please [read more](http://stackoverflow.com/questions/601300/what-is-sql-injection) about these attacks — node_modules, May 11 '17 at 09:25

Ali Niaz · Accepted Answer · 2017-05-11T16:54:46.707

if (isset($_POST['submit'])) {
$conn = new mysqli("127.0.0.1", "root", "", "proyektekweb");
if ($conn->connect_error) {
    echo "Error: Unable to connect to MySQL." . PHP_EOL;
    echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
    echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
    exit;
} else {
    if (!empty($_POST['emails']) && !empty($_POST['pwd'])) {
        // Check for sql injections before making query
        $stmt = $conn->prepare("SELECT * from user where email = ? AND password = ?");
        $stmt->bind_param('ss', $_POST['emails'], $_POST['pwd']);
        $stmt->execute();
        $result = $stmt->get_result();
        if (!$result) {
            printf("Error: %s\n", mysqli_error($conn));
            exit();
        } else {
            while ($row = $result->fetch_assoc()) {
               // here you can proceed with the logged in user
            }
        }
    }
}

}

You say `"Read about sql injections before passing form data directly into sql"` yet proceed to create more vulnerable code. — Professor Abronsius, May 11 '17 at 11:09

Fail Login Using PHP and MYSQLI

1 Answers1