php - Admin login not working correctly

Question

so i'm having an issue with an "admin login" that i've been trying to make work. If you guys can check out my code to see what's going on, it would be very helpful. All of the names match what's in mysql. The error keeps coming up saying I don't have the correct username/password... but I do!

<?php

if (isset($_POST['login'])){    

$con = mysql_connect("localhost", "dxhxxx", "tcqxxx");
if (!$con){
die("Cannot connect:" . mysql_error()); 
}

mysql_select_db("dxh6110",$con);

$userName = $_POST['username'];
$passWord = $_POST['password'];

$sql = "select * from Churchadmin where username='$userName' AND      password='$passWord'";
mysql_query($sql,$con);

if(mysqli_num_rows($run)>0){

    $_SESSION['username']=$userName;
    $_SESSION['password']=$passWord;
    //if all information is good you will go to the next page
    echo "<script>window.open('view_prayers.php','_self')</script>";

    }
    //if password or username is wrong this will give them an alert
    else{
    echo "<script>alert('Admin details are incorrect!')</script>";
    }

}

mysql_close($con);

?>

Answer 1

Firstly, you're mixing MySQL libraries with mysqli_num_rows use mysql_num_rows.

• Those different MySQL functions do not intermix with each other.

You also need to start the session if you haven't already.

• http://php.net/manual/en/session.examples.basic.php

Make sure also that your form elements contain name attributes.

I.e.: <input type="text" name="username"> etc.

Then this line:

mysql_query($sql,$con);

if(mysqli_num_rows($run)>0){

that should read as

$run = mysql_query($sql,$con);

if(mysql_num_rows($run)>0){

• There is no $run variable defined for it.

• Error reporting would have thrown you an Undefined variable run... notice.

You may also change

$run = mysql_query($sql,$con);

to

$run = mysql_query($sql,$con) or die(mysql_error($con));

• In order to see if your query failed.

---

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Plus, in regards to SQL injection, use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.