php and MySQL

Re: php and MySQL

Message-ID: <1143380252.455 408.289030@e56g 2000cwe.googleg roups.com> from
comp_guy contained the following:
[color=blue]
>i was hope someone would know my failings! here is my code:[/color]

I hope this isn't coursework... And please, do not multipost, I've a
feeling I've already answered some of this elsewhere.
[color=blue]
>
><?php
>
>$connection = mysql_connect(" sentinel.cs.cf. ac.uk","scm5sjc ","my
>password here");
>
>$password=$_PO ST['password'];[/color]
Arrrgh!! I know I corrected this!
$password=mysql _real_escape_st ring($_POST['password']);[color=blue]
>
>mysql_select_d b("sjcdb",$conn ection) or die("failed!");
>
>$sql = mysql_query("SE LECT * FROM users WHERE password = '$password'");[/color]
this should be
$sql = "SELECT * FROM users WHERE password = '$password'";[color=blue]
>
>$result = mysql_query($sq l)or die(mysql_error ());
>
>$rows = mysql_num_rows( $result);[/color]
$rows will contain the number of rows[color=blue]
>
>if ($rows){[/color]
I think I'd prefer
if($rows>0){[color=blue]
>
> if ($password == $row[9]){[/color]
What's this for? $rows is not an array and doesn't magically contain
the password. You just checked if there was a row with a password so
this is not doing anything


Try again.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Re: php and MySQL

comp_guy wrote:[color=blue]
> hey guys, i have been working on a simple form which validates if a
> user is valid or not. i am a newbie and just want to deny unauthorised
> access to a 'members' page. I wish to compare the password entered by
> the user with that they entered into their submitted registration
> form.. however i keep getting a mySQL error message 'query was empty'.
> i was hope someone would know my failings! here is my code:
>
> <?php
>
> $connection = mysql_connect(" sentinel.cs.cf. ac.uk","scm5sjc ","my
> password here");
>
> $password=$_POS T['password'];
>
> mysql_select_db ("sjcdb",$conne ction) or die("failed!");
>
> $sql = mysql_query("SE LECT * FROM users WHERE password = '$password'");
>
> $result = mysql_query($sq l)or die(mysql_error ());
>
> $rows = mysql_num_rows( $result);
>
> if ($rows){
>
> if ($password == $row[9]){
>
> header("Locatio n:members.html" );
> }
> else
> {
> header("Locatio n:register.html ");
> exit;
> }
> }
> mysql_close();
>
> ?>
>[/color]

A couple of observations...

This:
$sql = mysql_query("SE LECT * FROM users WHERE password = '$password'");

sets $sql to be the result set of the query...
while this:
$result = mysql_query($sq l)or die(mysql_error ());

tries to do another query using the result set. That's just not right.

I suggest you do something like:
$sql = "select count(*) from users where password = '$password'";
$result = mysql_query($sq l, $connection);

$row = mysql_fetch_row ($result);
if( $row[0] ) {
...

mysql_free_resu lt($result);
mysql_close($co nnection);

-david-

Re: php and MySQL

comp_guy wrote:[color=blue]
> hey guys, i have been working on a simple form which validates if a
> user is valid or not. i am a newbie and just want to deny unauthorised
> access to a 'members' page. I wish to compare the password entered by
> the user with that they entered into their submitted registration
> form.. however i keep getting a mySQL error message 'query was empty'.
> i was hope someone would know my failings! here is my code:
>
> <?php
>
> $connection = mysql_connect(" sentinel.cs.cf. ac.uk","scm5sjc ","my
> password here");
>
> $password=$_POS T['password'];
>
> mysql_select_db ("sjcdb",$conne ction) or die("failed!");
>
> $sql = mysql_query("SE LECT * FROM users WHERE password = '$password'");
>
> $result = mysql_query($sq l)or die(mysql_error ());
>
> $rows = mysql_num_rows( $result);
>
> if ($rows){
>
> if ($password == $row[9]){
>
> header("Locatio n:members.html" );
> }
> else
> {
> header("Locatio n:register.html ");
> exit;
> }
> }
> mysql_close();
>
> ?>
>[/color]

A couple of observations...

This:
$sql = mysql_query("SE LECT * FROM users WHERE password = '$password'");

sets $sql to be the result set of the query...
while this:
$result = mysql_query($sq l)or die(mysql_error ());

tries to do another query using the result set. That's just not right.

I suggest you do something like:
$sql = "select count(*) from users where password = '$password'";
$result = mysql_query($sq l, $connection);

$row = mysql_fetch_row ($result);
if( $row[0] ) {
...

mysql_free_resu lt($result);
mysql_close($co nnection);

Also, your second comparison to $row[9] is not needed. The password
match is already accounted for in the where clause of the SQL query.

-david-

Re: php and MySQL

comp_guy wrote:[color=blue]
> I wish to compare the password entered by
> the user with that they entered into their submitted registration[/color]
[color=blue]
> $sql = mysql_query("SE LECT * FROM users WHERE password = '$password'");[/color]

Um, don't you want to match usernames and passwords? Here, if one user
has the password "Test", then everyone can log in with the password
"Test". I'd:

$connection = mysql_connect(" sentinel.cs.cf. ac.uk","scm5sjc ","my
password here");

$password=$_POS T['password'];
$username=$_POS T['username'];

mysql_select_db ("sjcdb",$conne ction) or die("failed!");

$result = mysql_query("SE LECT * FROM users WHERE username='$user name'
AND password = '$password'") or die(mysql_error ());

$rows = mysql_num_rows( $result);

mysql_close();

if ($rows>0){
header("Locatio n:members.html" );
} else {
header("Locatio n:register.html ");
exit;
}

Cheers,
Nicholas Sherlock

--