Home/ Questions/Q 8781913
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T20:25:53+00:00

I know i should be using prepare statements and sanitizing the data i’m just

  • 0

I know i should be using prepare statements and sanitizing the data i’m just checking the PDO driver

I just want to know why if i’m passing just random data the query returns true?

just notice this PDO::query — Executes an SQL statement, returning a result set as a PDOStatement object

    $dbuser = 'root';
$dbpass = 'root';
$formpost = false;
try
{
    $dbh = new PDO('mysql:host=127.0.0.1;dbname=loginexample', $dbuser, $dbpass);
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}
if(!empty($_POST['username']) && !empty($_POST['password']))
{
    $formpost = true;
    $username = $_POST['username'];
    $password = $_POST['password'];
}

if($dbh && $formpost)
{
    $sql= "SELECT username, password FROM user WHERE username='$username' AND password='$password'";
    if($dbh->query($sql))
    {
        echo 'true';
    }
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This line: if($dbh->query($sql)) might not return an object that contains any found records, but it returns an object nonetheless. An object that might tell you that the number of found rows equals zero, for instance.

    Try returning true or false based on the number of found records….

    • 0