Cannot login using php and mysql

Question

I am getting an error:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Password='kdsdj'' at line 1

The code for my login validation is as follows. The login is validated if the entered username and password match the value in the database.

<?php 
include 'Database.php';
$username = $_POST['username'];
$password = $_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($con, $username);
$password = mysqli_real_escape_string($con, $password);

$query = mysqli_query(
    $con, "SELECT * FROM student WHERE Username='$username',Password='$password'"
)
or die(mysqli_error($con));

$res = mysqli_fetch_array($query);

if ($res['Username'] == $username && $res['Password'] == $password) {
    header('location:List.php');
} else {
    header('location:index.php');
}

?>

Note that you're storing the actual password in the database, rather than a hashed, salted version (which cannot be reversed to produce the original). This is a very serious security flaw. Search for advice on password security. — JonJ, Dec 16 '18 at 07:50
Have a read of [How to use password_hash](https://stackoverflow.com/questions/30279321/how-to-use-password-hash). — Nigel Ren, Dec 16 '18 at 07:53
Also please read [How to create a secure mysql prepared statement in php?](https://stackoverflow.com/questions/1290975/how-to-create-a-secure-mysql-prepared-statement-in-php) — Nigel Ren, Dec 16 '18 at 07:54

score 0 · Accepted Answer · answered Dec 16 '18 at 07:45

0

In your query, you need to replace the comma with either AND or &&. However the AND is the recommended choice.

Like so:

"SELECT * FROM student WHERE Username='$username' AND Password='$password'"

answered Dec 16 '18 at 07:45

Joseph_J

3,654
2
13
22

Cannot login using php and mysql

1 Answers1