Already looked at the other answers but couldn't fix it. Monday i've got school exams and they want us to build a basic CMS (add, edit, delete pages, resized images). My programming knowledge is beginner and I don't know much about OOP (PDO), design patterns, best practices and like that kind of things.
As I checked my query in phpMyAdmin it looks fine. In the header include there is the connection included.
<?php
include('inc/header.php');
if(isset($_POST["submit"])) {
$username = trim($_POST["username"]);
$password = trim($_POST["password"]);
$password_secure = md5($password);
if($username == "") {
$error++;
$_SESSION["loginerror"] = true;
header("location: loginerror.php");
exit;
}
if($password == "") {
$error++;
$_SESSION["loginerror"] = true;
header("location: loginerror.php");
exit;
}
if($username != "" && $password != "") {
$sql = "SELECT * FROM user WHERE username = '".$username."'
AND password = '".$password_secure."'";
}
if(mysqli_num_rows($query == 1)) {
$row = mysqli_fetch_array($query);
$_SESSION['username'] = $row["username"];
$_SESSION['firstname'] = $row["firstname"];
$_SESSION['lastname'] = $row["lastname"];
$_SESSION['login'] = true;
header("location: user.php");
exit;
}
} else {
header("location: index.php");
exit;
}
?>
Is it also smart to check the POST request with $_SERVER['REQUEST_METHOD'] == 'POST'
instead of a isset() and escape SQL with mysql_real_escape_string
in the query?
Thanks