I have student table which has student login information like id number , pincode and their detail.
The students id is like: 0123/08 pincode is: 1234
The working condition: For example when the student is login without slash 0134 and pincode, then the data is fetched successfully.Which means when 0134 id is available. The problem: when the student is login with backslash and existing id 0123/08 and pincode, then the student can log but the data is not fetched. can any one solve the problem:
<?php session_start(); ?>
<html>
<head>
<title>Login</title>
<style type="text/css">
h3{font-family: Calibri; font-size: 22pt; font-style: normal; font-weight: bold; color:SlateBlue;
text-align: center; text-decoration: underline }
table{font-family: Calibri; color:white; font-size: 11pt; font-style: normal;
text-align:; background-color: Silver; border-collapse: collapse;
border: 2px solid navy; float: left;
margin-left: 25%;
margin: 10%; }
table.inner{border: 0px}
</style>
</head>
<body>
<?php
include("db.php");
if(isset($_POST['submit'])) {
//Start session
//Include database connection details
require_once('db.php');
//Array to store validation errors
$errmsg_arr = array();
//Validation error flag
$errflag = false;
//Connect to mysql server
$link = mysql_connect("localhost", "root", "");
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
//Select database
// $db = mysql_select_db("cbe");
//if(!$db) {
// die("Unable to select database");
// }
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$login = clean($_POST['student_id']);
$password = clean($_POST['pincode']);
//Input Validations
if($login == '') {
$errmsg_arr[] = 'Login ID missing';
$errflag = true;
}
if($password == '') {
$errmsg_arr[] = 'Password missing';
$errflag = true;
}
//If there are input validations, redirect back to the login form
//if($errflag) {
// $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
// session_write_close();
// header("location: login.php");
// exit();
//}
//Create query
$qry="SELECT * FROM student WHERE stud_id='$login' AND stud_pincode='$password'";
$result = mysqli_query($db,$qry) or die("Error: ".mysqli_error($db));
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
if(is_array($row) && !empty($row)) {
$_SESSION['name'] = $row['stud_fname'];
$_SESSION['id'] = $row['stud_id'];
echo $row['stud_id'];
$_SESSION['favcolor'] = 'green';
$_SESSION['animal'] = 'cat';
$_SESSION['time'] = time();
header("location: index.php");
exit();
}else {
echo "Invalid username or password.";
echo "<br/>";
echo "<a href='login.php'>Go back</a>";
}
if(isset($_SESSION['id'])) {
header('Location: index.php');
}
}
else {
?>
<p><font size="+2">Login</font></p>
<form name="form1" method="POST" action="">
<table width="75%" border="0">
<tr>
<td width="15%">ID Number:</td>
<td><input type="text" name="student_id" ></td>
</tr>
<tr>
<td width="15%">Student PIN:</td>
<td><input type="password" name="pincode"></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="submit" value="Submit"></td>
<td> </td>
</tr>
<tr><td>Not registered? </td>
<td><a href=/cbe/RegisterStudent.html>Reister Now!</a></td>
</tr>
</table>
</form>
<?php
}
?>
</body>
</html>
specially this things from above code will have any problem?
//Sanitize the POST values
$login = clean($_POST['student_id']);
$password = clean($_POST['pincode']);
$qry="SELECT * FROM student WHERE stud_id='$login' AND stud_pincode='$password'";
$result = mysqli_query($db,$qry) or die("Error: ".mysqli_error($db));
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
if(is_array($row) && !empty($row)) {
$_SESSION['name'] = $row['stud_fname'];
$_SESSION['id'] = $row['stud_id'];
echo $row['stud_id'];
header("location: index.php");
exit();
}
The php file which fetches the data:
<?php
$query = "SELECT * FROM student WHERE stud_id=".$_SESSION['id']." ORDER BY id DESC";
if ($result = $db->query($query)) {
/* fetch associative array */
while ($row = $result->fetch_assoc()) {
printf ("%s (%s)
", $row["stud_fname"], $row["stud_lname"]);
echo "<tr>";
echo "<td>". $row['stud_id']."</td>";
echo "<td>". $row['stud_fname']."</td>";
echo "<td>". $row['stud_lname']."</td>";
echo "<td>". $row['stud_gfname']."</td>";
echo "<td>". $row['stud_gender']."</td>";
echo "<td>". $row['stud_dep']."</td>";
echo "<td><a href=\"edit.php?id= $row[id]\">Edit</a> </td>";
//Delete Code: <a href=\"delete.php?id= $row[id]\" onClick=\"return confirm('Are you sure you want to delete?')\">Delete</a>
}
/* free result set */
$result->free();
}
?>