Click here to Skip to main content
15,867,704 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
PHP
if(isset($_POST['login'])) {
  $username = stripcslashes($_POST['username']);
  $password = $_POST['password'];
  if($username != "" && $password != "") {
    try {
      $query = " SELECT password FROM users WHERE username=?";
      $stmt = $db->prepare($query);
      $stmt->bindParam('username', $username, PDO::PARAM_STR);
      $stmt->bindValue('password', $password, PDO::PARAM_STR);
      $stmt->execute();
      $count = $stmt->rowCount();
      $row   = $stmt->fetch(PDO::FETCH_ASSOC);
      if($count == 1 && !empty($row)) {
        /******************** Your code ***********************/
        //$_SESSION['sess_user_id']   = $row['uid'];
        $_SESSION['username'] = $row['username'];
        $_SESSION['name'] = $row['name'];
     
      } else {
        $msg = "Invalid login credentials";
      }
    } catch (PDOException $e) {
      echo "Error : ".$e->getMessage();
    }
  } else {
    $msg = "Both fields are required!";
  }
}


What I have tried:

I tried a couple of research on the internet and tried script modification
Posted
Updated 11-Jan-23 18:24pm
v2

Well this looks like it could be your problem
PHP
$query = " SELECT password FROM users WHERE username=?";
Your Query has one parameter in it for username, but you are adding two parameters to the command.
PHP
$stmt->bindParam('username', $username, PDO::PARAM_STR);
$stmt->bindValue('password', $password, PDO::PARAM_STR);
Also... I surely hope you aren't saving passwords as plain text.
 
Share this answer
 
Comments
Maciej Los 6-Apr-20 11:47am    
5ed!
gavin_daCEO 7-Apr-20 9:09am    
Thank you, i am trying to work out how i can build the query so it can work. No i do not store the passwords in plain texts
MadMyche 7-Apr-20 9:18am    
You're welcome.
I figured I would check as many people do store them plain
gavin_daCEO 7-Apr-20 9:48am    
Thank you so much once i have built a working query and it works i will let you know. thanks again
This is going on three years-- however, for anyone stumbling in here later:

Make your SQL statement a string... which you can put variable values into.

Then parameterize your query with bind for the values you want to work with.

$thingSql = sprintf("INSERT INTO things(
`id`
) VALUES (
id
);");


$thingQueryObject = $this->dbConnection->prepare($thingSql);
$thingQueryObject->bindParam(':id', $this->thingId, PDO::PARAM_INT);
 
Share this answer
 
v2
Comments
Graeme_Grant 12-Jan-23 0:46am    
The question was already answered with a valid solution. Please keep to current questions where help is needed.

Your answer is not secure and open to SQL injection attacks[^]. Highly not recommended.

Also, when posting solutions, please adhere to the guidelines and correctly format your code.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900