<?php // do not show any errors to the end user ini_set('display_errors', 'O

1. <?php
2. // do not show any errors to the end user
3. ini_set('display_errors', 'Off');
4.  
5. error_reporting(E_ALL | E_STRICT);
6.  
7. echo "<html>";
8.  
9. if (isset($_POST["username"]) && isset($_POST["password"])) {
10.  
11. $servername = "localhost";
12. $username = "sqli-user";
13. $password = 'AxU3a9w-azMC7LKzxrVJ^tu5qnM_98Eb';
14. $dbname = "SqliDB";
15. $conn = new mysqli($servername, $username, $password, $dbname);
16.  
17. if ($conn->connect_error){
18. die("Connection failed");
19. }
20.  
21. $user = $_POST['username'];
22. $pass = $_POST['password'];
23. $sql = "SELECT * FROM login WHERE User=? AND Password=?";
24.  
25. // prepare statement template
26. $stmt = $conn->prepare($sql);
27.  
28. // bind statement parameters
29. $stmt->bind_param("ss", $user, $pass);
30.  
31. // execute the prepared statement
32. $stmt->execute();
33.  
34. // get the resultset
35. $result = $stmt->get_result();
36.  
37. // check if only one row was returned
38. if ($result->num_rows === 1){
39. while($row = $result->fetch_assoc()) {
40. echo "You logged in as " . $row["User"];
41. echo "<html>You logged in as " . $row["User"] . "</html>\n";
42. }
43. } else {
44. echo "Sorry to say, that's invalid login info!";
45. }
46.  
47. $stmt->close();
48. $conn->close();
49.  
50. } else {
51. echo "Must supply username and password...";
52. }
53.  
54. echo "</html>";
55. ?>