Login system - return 1 (HELP)

Hi, i am started to learn php (login system) and really need help. How to return 1 when i enter email and password?
I am arleady using: echo $results = mysqli_num_rows($result);
I think i am missed something in code:


if ($_POST['submit']) {

if (!$_POST['email']) $error.="Please enter your email";

else if (!filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)) $error.="Please enter a valid email address";

if (!$_POST['password']) $error.="<br />Please enter your password";
else {

if (strlen($_POST['password'])<8) $error.="<br />Please enter a password with at least 8 characters";
if (!preg_match('`[A-Z]`', $_POST['password'])) $error.="<br />Please include at least one capital letter in your password";


if ($error) echo "There were error(s) in your signup details:".$error;
else {

$link = mysqli_connect("localhost", "username", "password", "database");

$query="SELECT * FROM `users` WHERE email=".mysqli_real_escape_string($link, $_POST['email'])."'";

$result = mysqli_query($link, $query);

echo $results = mysqli_num_rows($result);




 <form method='post'>

 <input type='email' name=email' id='email' />
 <input type='password' name='password' />
 <input type='submit' name='submit' value='Sign up' />


Well i’m not sure why you want to echo a 1, but echo $results after you’ve assigned it.

I’m also gonna suggest you put single-line if’s in curly braces if you’re going to be nesting that many ifs in and around each other, it’s… incredibly difficult to read your code without indentation and braces.

I am doing by tutorial and when login details are entered i need to return 1:

your lecturer teaches some ugly code practices.

What precisely happens when you submit data to your form? (not what SHOULD happen, what DOES happen)

This is only valuable tutorial i found and i have no choice, just to learn by this and in my oppinion its better to complete this course, than jump from one to another.

By the way what course you would recommend if telling me this?

there’s an error in the SQL Statement (missing ’ before email).

note: when using prepared statements, there is no need of string delimiters for your data.

regarding login, you should use a bcrypt hash as returned from password_hash() and verify that (using password_verify()).

It’s of no value, if it teaches you incorrect methodologies.

You always have a choice with today’s Internet.

If the course is outdated or downright teaching bad practices, it is one you should drop like a hot potato.


1 Like

A few things to note:

  1. The use of prepared statements is much more preferaable to mysqli_real_escape_string as prepared statements eliminate the risk of sql injection attacks.
  2. When checking if a user already exists you should be checking if the username or the email already exist, that can be done with a single query and if 1 or more rows are found then reject either the username or email as appropriate. If you get more then two matches then you’ll have a problem
  3. It’s probably (hopefully) done elsewhere but make sure that when hashing the user’s password, if you’re using PHP version 5.5 or newer make use of the built in functions for hashing passwords (there’s a backwards compatible library available for PHP version 5.4 and older - sorry don’t have the link to hand)
  4. When you’re selecting stuff from a database, don’t use the dreaded, evil SELECT *, list the fields you require only, using the “leading commas” convention.
  5. When dealing with if, elseif or else blocks indent the code that is within the block

Is the library this one for the older versions that does not support password_hash & password verify: http://www.openwall.com/phpass/ ?

Also I have seen lately a lot of comments like “SELECT * FROM blabla” is EVIL. Why exactly it is so evil?

Okay nvm, first article I read tells its a performance related issue, but how BIG impact will it have after all? Is it really that significant ? I am not saying that you should use “SELECT * FROM blabla” :slight_smile: But just out of curiosity would like to know if someone has done benchmarks on the subject? I guess my main question is that is it just a micro optimization at most or does it really have bigger impact?

Also when using ORMs wouldnt it select all columns too?

I’m sure it is less efficient. How much so maybe @r937 could comment

(OT lol new avatar?)

it’s ircmaxell/password-compat (e.g. via Composer)

1 Like


  1. if you remove a column from the db table you likely get an unknown index error that is hard to track. with explicitly requesting columns you’ll get an SQL error if the query does not match the table anymore.

  2. if you list all fields there is no need to know the table in order to use the correct result indices because all necessary information is included in the PHP code.

Both true.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.