I'm new to MySQL. I created a login page that will run PHP to query the database.
I want to make a prepared statement to prevent SQL injection but it is not working. $result gives me 0.
cgi-bin/welcome.php
<?php
$email= $_POST["email"];
$pwd = $_POST["password"];
$dbh=mysqli_connect("localhost",
"zzengnin",<password>,"zzengnin_wheel")
or die ('Database is not able to connect');
$qry= "SELECT email FROM Info WHERE email=? AND pw=?";
if ($stmt = mysqli_prepare($link, $qry)) {
mysqli_stmt_bind_param($stmt, "ss", $email, $pwd);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $result);
mysqli_stmt_fetch($stmt);
printf("result email is %s
", $result);
}
if(mysqli_num_rows($result)>0)
{
echo "Welcome! '$email', you are officially logged in! ";
}
else{
echo "Your Email or Password is WRONG!!!!";
echo $result + " result";
}
mysqli_stmt_close($stmt);
mysqli_close($dbh);
?>
This is the form login.php
<!DOCTYPE html>
<head><title>Wheel Sharing</title>
<link rel = "stylesheet" type = "text/css" href = "CSS/style.css">
</head>
<body>
<h1>Log in</h1>
<form action="cgi-bin/welcome.php" method="post">
Email: <input name="email" type="text" size="20"/>
<br/>
Password: <input name="password" type="password" >
<br/>
<input type="submit" value="Login"/> <input type="reset" value="Reset"/>
</form>
</body>
</html>
All help appreciated:)
