[HTML] $_POST error

[brsy]

Okay, I know using POST is very exploitable, but I created a PHP function to filter them out. I just need some help with a quick error. Here's my page that contains my form:

Index.php

<html>
    <head>
        <link rel="stylesheet" type="text/css" href="css/global.css" />
        <title>Administrative Panel: Login</title>
    </head>
    <body>
        <div class="loginContainer">
            <div class="loginBox">
                <div class="loginHeader">
                    <div class="loginDivider">
                                <form action="submit.php" method="post">
                                    <input type="text" class="loginInput" placeholder="Username..." name="username" />
                                    <input type="password" class="loginInput" placeholder="************" name="password" />
                                    <input type="submit" class="loginSubmit" value="" name="submit" />
                                </form>
 
                    </div>
                </div>
            </div>
        </div>
    </body>
</html>

Submit.php

<?php
//include('../class/class.configuration.php');
require_once('/class/class.module.php');
    $username = $_POST['username'];
    $password = $_POST['password'];
 
    echo "$password . $username";
?>

 

[Kryptos]

<?php
//include('../class/class.configuration.php');
require_once('/class/class.module.php');
    $username = $_POST['username'];
    $password = $_POST['password'];
 
if(isset($_POST['submit'])) {
    if(isset($username) && isset($password)) {
    echo "$password . $username";
  }else { echo 'Please fill in all fields'; } 
}
?>

That should do what you want.

 

[brsy]

Hmm, that works quite nicely... So if I wanted to compare the password with the one in the database, I would change the "echo blah blah blah" to SELECT `password` FROM `users` WHERE `password` = "$password"

Afterwards, I would do another if statement for the error handling.
Am I correct?

 

[Kryptos]

Hmm, that works quite nicely... So if I wanted to compare the password with the one in the database, I would change the "echo blah blah blah" to SELECT `password` FROM `users` WHERE `password` = "$password"

Afterwards, I would do another if statement for the error handling.
Am I correct?

You'd want to so a MySQL query, yes. Just not that query.

 

[brsy]

Is this the proper query?

$select = SELECT `password` FROM `users` WHERE `username` = "$username"
$sellectArray = mysql_fecth_array($data)
if($selectArray != $password) {
echo "y u no put right password?!";
}

Afterwards, I would then use

 

[Kryptos]

Is this the proper query?

$select = "SELECT `password` FROM `users` WHERE `username` = '$username' LIMIT 1"
$selectArray = mysql_fetch_array($data)
if($selectArray['password'] != $password) {
echo "y u no put right password?!";
}
else{
echo 'yay';
}

Afterwards, I would then use

The query is a string, you have to put it between quotes.

 

[brsy]

Is there a specific website you learned PHP from? I might want to check it out to further develop my knowledge

 

[Markshall]

You must be registered for see links

You must be registered for see links

I never learned from these because I already knew a lot in PHP, but these two channels are excellent. From PHPAcademy, Alex is my favourite guy. He explains everything in such detail.