Here is my code:
$usersql = "Select fab2_type from feesys_admin where adminname ='$_POST[username]' and adminemail = '$_POST[password]'";
$userresult = mysql_query($usersql) or die ("<h3>Error in query: $query. ".mysql_error()."</h3>");
$num_rows = mysql_num_rows($userresult);
if($num_rows > 0) {
if($userresult['fab2_type']=='Partner'){
}
When I run the SQL statement on the database through PHP Admin, it works fine. But it returns empty within the results here.
I checked to make sure the database connects fine.
I checked all spelling
Number of rows returns correctly.
No syntax errors.
When I echo the username and password and the sql statement, it's all correct.
This code used to work so I have no idea what's going wrong here.
It is because you have not quoted your $_POST array variables properly. You have $_POST[username] and $_POST[password]. It should be $_POST['username'] and $_POST['password']. This causes PHP to interpret username and password as constants.
Here is a different shot at your syntax -
$usersql = "SELECT `fab2_type` FROM `feesys_admin` WHERE `adminname` ='".$_POST['username']."' AND `adminemail` = '".$_POST['password']."' ";
You could further shorten this by predefining (as Fred says below).
$user = $_POST['username']; // please sanitize this
$pass = $_POST['password']; // please sanitize this
$usersql = "SELECT `fab2_type` FROM `feesys_admin` WHERE `adminname` ='".$user."' AND `adminemail` = '".$pass."' ";
You're very at risk for SQL injection if you don't clean up user input.
- Consult the following on Stack: How to prevent SQL Injection.
Password related
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.
I recommed you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.
Plus, in regards to SQL injection, use mysqli with prepared statements, or PDO with prepared statements, they're much safer.
