PHP Login form/code - PDO

Hey everyone,

Constantly failing at creating php code for a login form which will pull the ‘username’ from the database and correctly match that username with the password (which is saved in the database - phpmyadmin).

Using PDO, I have viewed some tutorials and phpnet manual.

I’m not looking for someone to give me a login script, but just to help me from scratch with some advice.

I’ve got the session_start() etc

Thanks for helping, this is driving me crazy :frowning:

I hope this helps you get started



$login = trim($_POST['login']);
$pass = trim($_POST['pass']);

$dbh = new PDO('mysql:host=localhost;dbname=mydatabase', 'user', 'pass');
$sth = $dbh->prepare("SELECT * FROM table WHERE login = ? AND pass = ?");
$sth->bindParam(1, $login);
$sth->bindParam(2, $pass);
$sth->execute();

if ($sth->rowCount() > 0)
{
  // session stuff,
 // refresh page
}




<?php	
	try {
	include ('connect_db.php');
	$db = getConnection();
	echo "<br /><br />";

	$email = trim($_POST['email']);
	$pass = trim($_POST['password']);

	$sql = $db->prepare("SELECT * FROM tablename WHERE email ="$email" AND password="$pass");
	$result = $db->query($sql);
	
	echo "$dbh";*/




foreach ($result as $row) {
echo $row['email'] .' - '. $row['password'] . '
';
}

$db = null; // close the database connection
	
	
	
	
	
	}catch(PDOException $e){
 
}

?>



i seem to be recieving the error on the select statement, any advice?

Out of curiosity, are you using an editor which has syntax highlighting?

I use Notepad++, which will usually show simple (but very common, and easy) errors such as including too many " in an SQL query.

Edit:: “too many” is probably not the best way to phrase that - rather incorrectly using " instead of '.

If you can’t spot the error on your own you really need to read up on basic PHP programming.

Furthermore, your code is just as susceptible to injection as it would be without prepared statements. Prepared statements don’t eliminate injection concerns if not used properly.

What information have you been reading because what you have derived is incorrect on various levels. Either the information your reading is incorrect or its being failed to be understood.


try {
    include ('connect_db.php');
    $db = getConnection();
    echo "<br /><br />";
    
    $email = trim($_POST['email']);
    $pass = trim($_POST['password']);
    
    $sql = $db->prepare("SELECT * FROM tablename WHERE email='$email' AND password='$pass'");
    $result = $db->query($sql);
    
    echo "$dbh";
    foreach ($result as $row) {
        echo $row['email'] .' - '. $row['password'];
    }
    $db = null; // close the database connection
}
catch(PDOException $e){}

Only fixed the syntax error. See yourself what were the fixes. You need to do more within the code like preventing the SQL injection, etc.

$sql = $db->prepare("SELECT * FROM tablename WHERE email ="$email" AND password="$pass");

You can modify this like;

$sql = $db->prepare("SELECT * FROM tablename WHERE email =[COLOR="Lime"]'[/COLOR]$email[COLOR="Lime"]'[/COLOR] AND password=[COLOR="Lime"]'[/COLOR]$pass[COLOR="Lime"]'"[/COLOR]);

this is only you want to change:

$sql = $db->prepare("SELECT * FROM tablename WHERE email ='$email' AND password='$pass'");

But $sql is a prepared statement, it wouldn’t even work if you passed that to PDO’s query function, right?

Silo, JREAM posted a very good starting script, be sure to study, copy and improve it. What you have now is, unfortunately, wrong.