Explain and modify php code

[kattah]

Hi all

I'm new to php

can someone explain this code, which is used to get the id of the user when he type the user name and password correctly:

Code: Select all

<?php

include('../includes/config.php');

$phone_no=$_GET["phone_no"];
$pw=$_GET["pw"];

$q="SELECT  *  FROM users WHERE phone_num='$phone_no' "; 
    $result = $con->query($q);

// Mysql_num_row is counting table row
$count=mysqli_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1){
    $row = mysqli_fetch_assoc($result);
    if ( $row['pw']== $pw){
        $_SESSION['phone_no']= "phone_no";
        $_SESSION['pw']= "pw"; 
       // echo "Login Successful";
        print($row['id']);
        return true;
    }
    else {
		
		
        echo "Wrong Username or Password";
        return false;
    }
}
else{
    echo "Wrong Username or Password";
    return false;
} 

?>

also I want to add a new condition to the select statement, which is value of the field (blocked) of the type varchar must be 0

thanks

[Phi11W]

The code is not doing anything with username and password.
It's retrieving every column from the users table (Bad Idea) where the phone_no field matches the value entered.

It is not protecting against SQL Injection attacks. (Bad Idea)
Obligatory XKCD Reference - Little Bobby Tables.

it would be far better to retrieve the count of rows that match the criteria you specify. That's only a single data value instead of how ever many columns are defined on that table, of whatever size.

Code: Select all

select count( * ) c 
from users 
where ... 

When you do get this code as far as working with passwords - do not store passwords in plain text (Bad Idea). Use a hashing algorithm and store (and compare against) the result of that.