Explain and modify php code

Ask about general coding issues or problems here.

Moderators: egami, macek, gesf

Post Reply
New php-forum User
New php-forum User
Posts: 1
Joined: Tue Mar 20, 2018 1:01 am

Tue Mar 20, 2018 1:26 am

Hi all

I'm new to php :)

can someone explain this code, which is used to get the id of the user when he type the user name and password correctly:

Code: Select all




$q="SELECT  *  FROM users WHERE phone_num='$phone_no' "; 
    $result = $con->query($q);

// Mysql_num_row is counting table row
// If result matched $username and $password, table row must be 1 row
    $row = mysqli_fetch_assoc($result);
    if ( $row['pw']== $pw){
        $_SESSION['phone_no']= "phone_no";
        $_SESSION['pw']= "pw"; 
       // echo "Login Successful";
        return true;
    else {
        echo "Wrong Username or Password";
        return false;
    echo "Wrong Username or Password";
    return false;

also I want to add a new condition to the select statement, which is value of the field (blocked) of the type varchar must be 0


New php-forum User
New php-forum User
Posts: 17
Joined: Thu Aug 17, 2017 3:37 am

Tue Mar 20, 2018 4:15 am

The code is not doing anything with username and password.
It's retrieving every column from the users table (Bad Idea) where the phone_no field matches the value entered.

It is not protecting against SQL Injection attacks. (Bad Idea)
Obligatory XKCD Reference - Little Bobby Tables.

it would be far better to retrieve the count of rows that match the criteria you specify. That's only a single data value instead of how ever many columns are defined on that table, of whatever size.

Code: Select all

select count( * ) c 
from users 
where ... 
When you do get this code as far as working with passwords - do not store passwords in plain text (Bad Idea). Use a hashing algorithm and store (and compare against) the result of that.
Phill W.

Post Reply