0

When I turn it on and then it show

Warning: mysqli_query(): Empty query in C:\xampp\htdocs\databasehomework\check_login.php on line 21

connection.php

<?php
$con = mysqli_connect("localhost","root","","databasehomework")or die("...");
mysqli_set_charset($con,'utf8');
?

check_login.php

<?php
error_reporting( error_reporting() & ~E_NOTICE );
    require 'dbcon.php';

    session_start();
             $status= filter_input(INPUT_POST, 'status', FILTER_SANITIZE_SPECIAL_CHARS);
             $username= filter_input(INPUT_POST, 'txtUsername', FILTER_SANITIZE_SPECIAL_CHARS);
             $password= filter_input(INPUT_POST, 'txtPassword', FILTER_SANITIZE_SPECIAL_CHARS);

                      if($status=='admin'){
                      $strSQL = "SELECT * FROM data_admin WHERE username = '$username' 
    and password = '$password'";
    }else if ($status=='staff') {
        $strSQL = "SELECT * FROM data_staff WHERE email = '$username' 
        and password = '$password'";
    }else if($status=='student'){
        $strSQL = "SELECT * FROM data_nisit WHERE std_code = '$username' 
        and std_password = '$password'";
    }
                          print($strSQL);
                      $objQuery = mysqli_query($con,$strSQL)or die ();
    $objResult = mysqli_fetch_array($objQuery,MYSQLI_ASSOC);

    if(!$objResult){
        echo "<script type='text/javascript'>alert('กรุณาตรวจสอบข้อมูล อีเมล์ หรือ รหัสผ่านให้ถูกต้อง');</script>";
        echo "<script type='text/javascript'>history.go(-1);</script>";
    }else{
            if($status=='admin'){
                $_SESSION["Status"] = "ADMIN";
                $_SESSION["User"] = $objResult["username"];
            }else if($status=='staff'){
                $_SESSION["Status"] = "STAFF";
                $_SESSION["UserId"] = $objResult["staff_code"];
                $_SESSION["UserName"] = $objResult["tname"].$objResult["fname"]." ".$objResult["lname"];
            }else if($status=='student'){
                $_SESSION["Status"] = "STUDENT";
                $_SESSION["UserId"] = $objResult["std_code"];
                $_SESSION["UserName"] = $objResult["std_tname"].$objResult["std_fname"]." ".$objResult["std_lname"];
            }

            session_write_close();

            if($_SESSION["Status"] == "ADMIN"){
                header("location:index_admin.php");
            }else if($_SESSION["Status"] == "STAFF"){
                header("location:index_staff.php");
            }else if($_SESSION["Status"] == "STUDENT"){
                header("location:index_nisit.php");
            }
    }
    mysqli_close($con);
?>
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
maiamy
  • 1
  • 1
  • 1
    Does your `print($strSQL);` print any query? I'm guessing since you have all `if`s and `else if`s, there might be a case when your code doesn't come in any of them, hence returning an empty `$strSQL` variable. – gaganshera May 12 '17 at 19:55
  • 2
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman May 12 '17 at 19:56
  • This code could also be improved by employing [`switch`](http://php.net/manual/en/control-structures.switch.php) rather than a pile of `if` statements. – tadman May 12 '17 at 19:56
  • 1
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 12 '17 at 19:56
  • 1
    Allow users to use the [passwords / phrases](https://xkcd.com/936/) they desire. [Don't limit passwords.](http://jayblanchard.net/security_fail_passwords.html) – Jay Blanchard May 12 '17 at 19:57
  • To expand on @gaganshera's comment, make sure that $status has a value that matches one of the conditions in your code. print $status and check its value. Are you loading this page directly or posting (submitting a form) to it from another page? – Dylan May 12 '17 at 19:58

0 Answers0