this is a login page. it returns 0 even the user and pass is right
session_start();
$conn = mysqli_connect('localhost','root','','script');
if (isset($_POST['sub'])) {
$user = $_POST['user'];
$pass = $_POST['pass'];
$result = mysqli_query($conn,'SELECT * FROM admin WHERE username = "$user" AND password = "$pass"');
echo mysqli_num_rows($result);
}
?>
`
This code should work:
session_start();
$conn = mysqli_connect('localhost','root','','script');
if (isset($_POST['sub'])) {
$user = $_POST['user'];
$pass = $_POST['pass'];
$result = mysqli_query($conn,"SELECT * FROM admin WHERE username = '$user' AND password = '$pass'");
echo mysqli_num_rows($result);
}
?>
Just change Quotes.
In PHP, strings delimited with ' characters do not interpolate variables.
You are searching for the user called $user, not the user called whatever is stored in the $user variable.
The quick hack is to swap your quotes around. The proper solution is to use prepared queries with placeholders.