sql查询每次都失败

<html>
<head>
</head>
<body>
<form action="login_process.php" method="post">
SID: <input type="text" name="sid">
<br />
Password: <input type="text" name="pw">
<br />
<input type="submit" value="Login">
</form>
</body>
</html>

login_process.php FILE enter image description here

<html>
<head>
</head>
<body>
<?php
include ("connection.php");

$sid = $_POST['sid'];
$pw = $_POST['pw'];

setcookie("username", "$sid". time()+86400);

$result = mysqli_query($con, "SELECT SID FROM student_table WHERE SID='$sid' and password='$pw'") or die('Query failed');


if(!$result){
    echo "Failed";
    } else {
        echo "success". $_COOKIE['username'];
        $_SESSION['username'] = $sid;
        }        
?>
</body>
</html>

I have data in my student_table. But no matter what input i give it says success. even if i click login button without any input it still says success. please help.

Start learning basic debugging:

When a query fails bad, just do this:

Instead of running it (mysql_query, or mysqli_query or whatever you have), ECHO it:

echo "SELECT SID FROM student_table WHERE SID='$sid' and password='$pw'";

After you submit the form, you will be shown the query that runs, go to phpmyadmin or whatever you use and run the query manually. See if there are errors and also see easier what's going on. Advisable when you do work like this, FIRST try the queries in phpmyadmin then apply them in the code, after you are confident they are ok.

You should use quotes when you assign values in sql queries .

SELECT 
    SID 
FROM 
    student_table 
WHERE 
    SID = '$sid' and password = '$pw'

Also look forward Prepared Statements to protect yourself from sql injections.You should also add the code below to fetch selected row :

while ($row = mysqli_fetch_array($result)) {
   $_SESSION['username'] = $row['SID'];
}

This is not really an answer but more about how to find out what is going wrong when you code does not work as you expect.

First, always put you SQL into a variable by itself. Why, so you can 'var_dump' it and see what is happening. So, try this:

$sql = "SELECT SID FROM student_table WHERE SID=$sid and password=$pw";

var_dump($sql, 'my_query'); // you will see what PHP created.

then try the answer provided:

$sql = "SELECT 
    SID 
FROM 
    student_table 
WHERE 
    SID = '$sid' and password = '$pw'";

At least you will see what is likely to be incorrect.

var_dump($sql, 'the answer_query'); // you will see what PHP created.

$result = mysqli_query($con, $sql) or die('Query failed');

The outer quote marks must be " (double quote) not " ' " (single quote) both of which are perfectly valid PHP. the former allows variables to be replaced in strings. The latter will treat eveything as a literal string.