This is my current code for taking a user log in:
<?php
$uName = "";
$uNameMsg = "";
$pWord = "";
$pWordMsg = "";
if(isset($_POST["submit"])){
$uName = $_POST["username"];
if (empty($uName)) {
$uNameMsg = "please enter a username<br/>";
}
$pWord = $_POST["password"];
if (empty($pWord)) {
$pWordMsg = "please enter a password<br/>";
}
}
?>
//form goes here
<?php
require_once("conn.php");
$sql = "SELECT username, password FROM customers
WHERE username = $uName
AND password = $pWord";
$results = mysqli_query($conn, $sql)
or die ('Problem with query' . mysqli_error($conn));
if (mysqli_num_rows($results) < 1) {
echo "invalid username and password";
} else {
echo "query success, redirect header goes here";
}
?>
I get a syntax error saying that the 'AND password =' clause is wrong. and then it is saying that the error is located at line 3, my tag, while the 'AND password ='is in line 75.
this is the start of my code from line 1:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Customer Login</title>
<link rel="stylesheet" href="customerlogin.css">
</head>
Your variable string concatenation is wrong in the SQL statement try the bellow one instead of your query code line
$sql = "SELECT username, password FROM customers
WHERE username = '".$uName." '
AND password = '".$pWord."'";
Change your query in php as follows
$sql = "SELECT username, password FROM customers
WHERE username = '{$uName}'
AND password = '{$pWord}'";
I assume username is a string,so it needs to be passed as string using ''
Change your query like this:
$sql = "SELECT username, password FROM customers WHERE username = '$uName ' AND password = '$pWord'";
When you pass string value you should cover with quotes.
You can use this.This definitely gonna work:
$sql = "SELECT username, password FROM customers
WHERE username = '$uName'
AND password = '$pWord'";
You missed quote ' around the values. You can use only numbers without quotes as values strings should be quoted. Your query is vulnerable to sql enjection so either escape your fields or use pdo. See below code for escaping the fields.
$pWord = $conn->real_escape_string($pWord);
$uName = $conn->real_escape_string($uName);
$sql = "SELECT username, password FROM customers
WHERE username = '$uName'
AND password = '$pWord'";