<?php
//I wanna make a login page
//This my logon.php which it gets data from my login.php and checks if (username,password)given exists in my Database, and if there are, it allows you to continue to view my index.php.
//I wanna do it with PDO prepared statements.
//Here is my connection to Database
$db_host="localhost";
$db_username="root";
$db_pass="";
$db_name="admin";
$db=new mysqli("$db_host","$db_username","$db_pass","$db_name");
echo $db->connect_errno;
if($db->connect_errno){
die("sorry we have some problems");
}
if($_SERVER ['REQUEST_METHOD']=='POST'){
$username=$_POST['username'];
$password=$_POST['password'];
$username=htmlspecialchars($username);
$password=htmlspecialchars($password);
//Here i try to check in my Database if the given username AND password exists and somehow check if i got any results.if i got 1,2,3...rows that matches the username and password
//this what i wanna do with PDO...please Help!
$pdo->prepare$sql=('SELECT * FROM members WHERE username = :username and password = :password' );
$pdo->execute(array(':username' => $username, ':password'=>$password));
//Here is what i wanna do if i got any results from my database
if($result){
$num_rows=mysqli_num_rows($result);
if($num_rows>0){
session_start();
$_SESSION['check']="1";
header ("Location:index.php");
}
else{
session_start();
$_SESSION['check']="";
header ("Location:index.php");
}
}
}
?>
These two lines are a mess:
$pdo->prepare$sql=('SELECT * FROM members WHERE username = :username and password = :password' );
$pdo->execute(array(':username' => $username, ':password'=>$password));
First off, we don't see that you created a PDO connection. There's a mysqli connection. Choose either PDO or mysqli, you can't intermix functions from the two libraries.
The PDO prepare function/method returns a statement object PDOStatement.
The PDOstatement object has an execute function/method.
try {
$pdo = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}
$sql = "select ... ";
$sth=$pdo->prepare($sql);
$sth->execute(...);
You may want to look at the examples in the documentation, e.g.
http://php.net/manual/en/pdostatement.execute.php
If you want to know if the query returns a row or not, you could simply do fetch from it, and test whether it returns FALSE.
$row = $sth->fetch(PDO::FETCH_ASSOC);
And this line:
mysqli_num_rows($result);
$result hasn't be assigned a value. And again, you can't intermix functions from PDO and mysqli. Those are two different interface libraries.
Storing passwords in plain text is a really bad idea.