I am attempting to check that myusername and mypassword are in the database and if they are print the results. I cannot get the results to be returned and displayed if they match what is in the database, can someone assist please?
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
//echo $myusername;
//echo $mypassword;
$stmt = $db->prepare('SELECT * FROM ADMIN_LOGIN WHERE USERNAME = $myusername AND PASSWORD = $mypassword');
//var_dump($stmt->readOnly()); // -> true
Rework the code as:
$result = $db->query("SELECT * FROM ADMIN_LOGIN WHERE USERNAME = '$myusername' AND PASSWORD = '$mypassword'");
while ($row = $result->fetchArray()) {
print $row["USERNAME"] . "
";
print $row["PASSWORD"] . "
";
}
You're not using prepared statements correctly. Prepared statments work by sending the server first what the query will be, then sending the parameters. That way the server cant be exploited, as the query structure "phase" will have already have been completed.
$sql = "SELECT * FROM ADMIN_LOGIN WHERE USERNAME = ? AND PASSWORD = ? LIMIT 1"
$sth = $dbh->prepare($sql);
$sth->execute(array($_POST['username'], $_POST['password']));
$res = $sth->fetch();