<?php include "db/config.php";?>
function loginCheck($username,$password) 
$sql=mysql_query("select UserId, UserName, Password from user_login where UserName= '$_POST[username]' and Password= '$_POST[password]'");
//select * from user_login where UserName='mownam' and Password='welcome'

                $result =mysql_query($sql);
                if(mysql_num_rows($result) > 0)

                echo "<center>successfully logged<br />".$uname;
                ?><div align="center" style="background-color: #FFFFCC"style="font:"Courier New" , Courier, monospace" style="font:message-box " style="font-size:10px" 
                id="loginerror"><strong>Invalid Username password</strong></div>
                <?php }

function insertValues($username,$password) {
 $sql=mysql_query("INSERT INTO user_login (UserId, UserName,Password, add_rights, update_rights,view_rights,delete_rights) VALUES ('','$_POST[username]','$_POST[password]','','','','')");
 echo "ok";

function updateValues($username,$password) {
 $sql=mysql_query("update person set  dob='$c', password='$b' where username='$username'");

function deleteValues($username) {

 $sql=mysql_query("delete from person where  username='$a'");


Edited by Nick Evan: Fixed formatting

5 Years
Discussion Span
Last Post by stoopkid
$sql=mysql_query("Select UserId, UserName, Password FROM user_login Where UserName= '".$_POST['username']."' and Password= '".$_POST['password']."'");

This is correct written..
How ever are you sure there are POSTs ? if its function perhaps there should be $username an $password (values from the function vars) not POSTs ..



$query="Select UserId, UserName, Password FROM user_login Where UserName= '".$_POST['username']."' and Password= '".$_POST['password']."'";
echo $query;
$sql=mysql_query($query) or die(mysql_error());

at least you get some more info


$result =mysql_query($sql);, is not valid. Due to your post, $sql is mysql resource, not a string (mysql command). Perhaps, it should be:

$sql = "SELECT `UserId`, `UserName`, `Password` FROM `user_login` WHERE `UserName` = '" . $_POST['username'] . "' AND Password= '" . $_POST['password'] . "'";
$result = mysql_query($sql);

- Use UPPERCASE for mysql syntax such (SELECT, INSERT, DELETE, UPDATE)
- Use CODE tag to wrap the codes you want to post.

Edited by happygeek: fixed formatting


ardav is right; you really must be careful when accepting user generated $_POST/$_GET/$_REQUEST variables.

This looks like a portion of a login script, so I hope my code helps. This script also converts the password to an md5 string (more secure and good practice). The password row is set to varchar in the mysql database.

Instead of pulling all the db rows on the user, it counts to make sure the user exists ($rowCheck > 0) and then proceeds (valid login).


include('config.php'); //holds db information and begins with session_start();

 if(isset($_POST['username'])) {
 	$username = mysql_real_escape_string($_POST['username']);
 if(isset($_POST['password'])) {
 	$password = mysql_real_escape_string($_POST['password']);
 $password = md5($password);
$sql = "SELECT COUNT(*) FROM `users` WHERE username = '$username' AND password = '$password'";


//check that at least one row was returned

$rowCheck = mysql_result($result, 0);

if($rowCheck > 0) {

	$_SESSION['username'] = $username;

header ("Location: index.php");

  //we will redirect the user to another page where we will make sure they're logged in

  } else {
  //if nothing is returned by the query, unsuccessful login code goes here...

  echo 'Incorrect login name or password. Please try again.<br>';

  echo "$username - $password";


This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.