Hi there,
I have been trying to fix the problem in the below code for a long time, it did work for me at some point. Then, it suddenly stopped storing user's details in a session.

        $user  = $_POST['username'];
        $pass  = $_POST['password'];
        $query = "SELECT username, password FROM
                  USERS WHERE username = '$user' 
                  AND password='$pass' ";

        $result = mysql_query($query) or mysql_error();

        $row = mysql_fetch_assoc($result);

        if(  $row['username'] == $user ){

            $_SESSION['username'] = $row['username'];
            $_SESSION['password'] = $row['password'];

        and this is the form where the above mentioned script gets the values from

            echo "<form action='log_in.php' method='post' >";
                        echo "<input type='text'     name='username' placeholder='username' "; 
                        echo "<input type='password' name='password' placeholder='password' ";
                        echo "<input type='submit' value='Log in' > ";   
            echo "</form>";
4 Years
Discussion Span
Last Post by diafol

I had a similar problem but it was due to something like not adding: ifisset

 $user = if(isset($_POST['username']))
 $pass = if(isset($_POST['password']))

have you tried turning on all errors to see what may be causing the problem.



session_start() must be called at the start of every page or you will lose the session variables when that page loads.


Although the thread is closed, I should add that you are vulnerable to what is called SQL Injection.
This is where people enter malicious code into your form and because SQL executes it as part of the query then it can do a lot of damage.

The best way as of the present is to use the new MySQL(improved) extension or to just simply add mysql_real_escape_string before you POST.

Instead of $user = $_POST['username']; you should use $user = mysql_real_escape_string($_POST['username']); at a minimum to escape any dangerous characters.


SQL injection is indeed a problem, however, as opposed to using mysql_* functions, you should give serious thought to moving across to mysqli_* or PDO. mysql_* has an uncertain future. The benefits of PDO for example is that you can apply parameterized queries:

$st = $db->prepare("SELECT field3, field4 FROM table WHERE field1 = :f1 AND field2 = :f2");
$st->execute(array(':f1'=>$var1, ':f2'=>var2));

That does away with all the escaping routines.

Edited by diafol


To expand upon what diafol said, PDO also provides a layer of abstraction to the database so that you can change DBMSs in the future without having to rewrite all of your querying code.


please any one help me i want now php code for barcode reader,i want whole complate code....



Please start a new thread - do not hijack this solved thread.
Better still, search this site as I remember this coming up many times in the past.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.