apparently the classic sql injection: (' or '1'='1' -- ') does not work on this login, but is it safe enough, and what do you suggest if it's not.
index.php:
<?php
include_once 'includes/connection.php';
if (isset($_POST['login'])){
$username = $_POST['usernameInput'];
$password = md5($_POST['passwordInput']);
$query = $pdo->prepare("SELECT * FROM users WHERE u_n = ? AND u_p = ? ");
$query->bindValue(1, $username);
$query->bindValue(2, $password);
$query->execute();
$rows = $query->rowCount();
if ($rows == 1){
echo "welcome back";
} else {
echo "incorrect username or passwrod";
}
}
?>
<html>
<center>
Login :
<form action="index.php" method="post">
<input type="text" name="usernameInput" placeholder="Username" autocomplete="off" />
<input type="password" name="passwordInput" placeholder="Password" autocomplete="off" />
<input type="submit" name="login" value="Login" />
</form>
</center>
</html>
connection.php:
<?php
try {
$pdo = new PDO('mysql:host=localhost;dbname=justLove', 'root', 'root');
} catch (PDOException $e) {
exit('cannot connect to database.');
}
?>
Waiting for your answer :)