<lots of HtML Code>

<?php

$user=$_POST['name'];
$pass=$_POST['pass'];


$obj=new db();
$obj->connect("root","","scp");
$query="select * from client_info where client_login_name_email='$user' and
client_password like '$pass' ";
$result=$obj->query($query);
//echo $result;
if($obj->numrow($result)==1)
{

$display="<a href=cust_reg.php>Enter New Customer Report</a> | ";
$display.="<a href=#>View Existing Customer Reports</a></align>";

echo $display;

}
else
{
echo "Access Denied";
}
?>


<the above is again followed by html code>

I have 3 questions in mind....

1. Is this the correct style of coding or should i put in all kinds of querieng in one php class file and calling those methods only from a php file, is it ok to have php in between the html like this.

2.Once the user is authenticated from the database i want the browser to load another page how do i do that, i mean what code should i rite in the if.......... or should this be done rite on top before the headers are sent.

3. Using SQL injection i should be able to crack this password by entering
something' OR 'x=x but it doesnt crack......why is that?

I think you maybe meant to edit your post however, it looks like you posed twice.

There is no standard way to write PHP that i know of. So these are my opinions...

1. Its good practice to try and seperate your PHP code from your HTML code as much as you can. Similar to how you keep your CSS seperate and so on.

2. You should do this before headers are sent. Since you would use the header() function to redirect users and this can't be send twice.

3. Again its a good idea to try and seperate your Database from your PHP as much as you can too, so keeping SQL queries all in one place makes sense.

4. Try entering: ' OR 1=1

I have 3 questions in mind....

1. Is this the correct style of coding or should i put in all kinds of querieng in one php class file and calling those methods only from a php file,

I'd put such functionality in at least function if not in a class, like for ex.:

<?php
function authenticate($user,$pass)
{
//do your sql here

if ($succes) return true;
else return false;
}

//when it's time to see if a user can be authenticated

if (authenticate($_POST['user'],$_POST['pass']))
{
//do something
}
else
{
//do something
}


is it ok to have php in between the html like this.

Yes, it's just another way of echoing output to the browser. You can even close php tags inside if block (afair, not inside class definition).

2.Once the user is authenticated from the database i want the browser to load another page how do i do that, i mean what code should i rite in the if.......... or should this be done rite on top before the headers are sent.

It can be done with headers. Using previous example:

if (authenticate($_POST['user'],$_POST['pass']))
{
header('Location: http://www.yoursite.com/authenticated/');
}
else
{
header('Location: http://www.yoursite.com/denied/');
}

Remember that headers can be send only if no output was started earlier. A couple of spaces or a newline befeore <?php count as an output.

3. Using SQL injection i should be able to crack this password by entering
something' OR 'x=x but it doesnt crack......why is that?
Probably magic quotes. Php adds slashes before single quotes for you. It has to be turned on in php.ini but it is by default. Don't count on it though. Look at mysql_real_escape_string and get_magic_quotes_gpc.

4. name' or 1=1;--

('--' means treat the rest of the line as a comment.)

Duplicate thread merged.