Having problem with login confirmation

[Izzatur Rahman]

Hello there..I need some help regarding on my project..I'm having problem with my login...I cannot go through the next page when login..I'm using session because need to drag all user's info till they logout from the system.. I need your help to figure it out because I'm lost..Here's the code..The code given to you is the process for the login... Thanks for your help..<?phpsession_start();?><?php$db = "penyelenggaraan";$link = mysql_connect('localhost', 'root', '');if (!$link) die(mysql_error());mysql_select_db($db ,$link)or die("Couldn't open $db: " .mysql_error());$id=$_POST['id'];$password=$_POST['password'];$a="SELECT FROM admin WHERE id='$id', password='$password'";$result=mysql_query($a);$count=mysql_num_rows($result);if($count > 0){header("Location: admin_option.php");}else{header("Location: admin.php");}mysql_close($link);?>

[Ingolme]

There are multiple problems.

 

First of all, your SQL query might not work because you should be using the AND operator in your query:

WHERE id='$id' AND password='$password'

 

Secondly, the mysql library is deprecated due to security vulnerabilities. Use MySQLi or PDO

 

Third, and very important, you're wide open for hacking. You have not sanitized the data coming from the user, so they can easily get in without a password. Search for "SQL injection" on your favorite search engine.

If they use "' OR 1" as their ID they can access your secret page without needing a password

 

I hope your page admin_option.php is checking to make sure that the user is logged in before showing anything. If not, people can simply type admin_option.php in their browser and get to the page, bypassing the login system.