php and MySQL
comp_guy
user is valid or not. i am a newbie and just want to deny unauthorised
access to a 'members' page. I wish to compare the password entered by
the user with that they entered into their submitted registration
form.. however i keep getting a mySQL error message 'query was empty'.
i was hope someone would know my failings! here is my code:
<?php
$connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc","my
password here");
$password=$_POST['password'];
mysql_select_db("sjcdb",$connection) or die("failed!");
$sql = mysql_query("SELECT * FROM users WHERE password = '$password'");
$result = mysql_query($sql)or die(mysql_error());
$rows = mysql_num_rows($result);
if ($rows){
if ($password == $row[9]){
header("Location:members.html");
}
else
{
header("Location:register.html");
exit;
}
}
mysql_close();
?>
Geoff Berrow
comp_guy contained the following:
>i was hope someone would know my failings! here is my code:
I hope this isn't coursework... And please, do not multipost, I've a
feeling I've already answered some of this elsewhere.
>
><?php
>
>$connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc","my
>password here");
>
>$password=$_POST['password'];
Arrrgh!! I know I corrected this!
$password=mysql_real_escape_string($_POST['password']);
>
>mysql_select_db("sjcdb",$connection) or die("failed!");
>
>$sql = mysql_query("SELECT * FROM users WHERE password = '$password'");
this should be
$sql = "SELECT * FROM users WHERE password = '$password'";
>
>$result = mysql_query($sql)or die(mysql_error());
>
>$rows = mysql_num_rows($result);
$rows will contain the number of rows
>
>if ($rows){
I think I'd prefer
if($rows>0){
>
> if ($password == $row[9]){
What's this for? $rows is not an array and doesn't magically contain
the password. You just checked if there was a row with a password so
this is not doing anything
Try again.
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
David Haynes
A couple of observations...
This:
$sql = mysql_query("SELECT * FROM users WHERE password = '$password'");
sets $sql to be the result set of the query...
while this:
$result = mysql_query($sql)or die(mysql_error());
tries to do another query using the result set. That's just not right.
I suggest you do something like:
$sql = "select count(*) from users where password = '$password'";
$result = mysql_query($sql, $connection);
$row = mysql_fetch_row($result);
if( $row[0] ) {
...
mysql_free_result($result);
mysql_close($connection);
-david-
David Haynes
A couple of observations...
This:
$sql = mysql_query("SELECT * FROM users WHERE password = '$password'");
sets $sql to be the result set of the query...
while this:
$result = mysql_query($sql)or die(mysql_error());
tries to do another query using the result set. That's just not right.
I suggest you do something like:
$sql = "select count(*) from users where password = '$password'";
$result = mysql_query($sql, $connection);
$row = mysql_fetch_row($result);
if( $row[0] ) {
...
mysql_free_result($result);
mysql_close($connection);
Also, your second comparison to $row[9] is not needed. The password
match is already accounted for in the where clause of the SQL query.
-david-
comp_guy
Nicholas Sherlock
> I wish to compare the password entered by
> the user with that they entered into their submitted registration
> $sql = mysql_query("SELECT * FROM users WHERE password = '$password'");
Um, don't you want to match usernames and passwords? Here, if one user
has the password "Test", then everyone can log in with the password
"Test". I'd:
$connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc","my
password here");
$password=$_POST['password'];
$username=$_POST['username'];
mysql_select_db("sjcdb",$connection) or die("failed!");
$result = mysql_query("SELECT * FROM users WHERE username='$username'
AND password = '$password'") or die(mysql_error());
$rows = mysql_num_rows($result);
mysql_close();
if ($rows>0){
header("Location:members.html");
} else {
header("Location:register.html");
exit;
}
Cheers,
Nicholas Sherlock
Sandman
"comp_guy" <ginge...@hotmail.com> wrote:
> hey guys, i have been working on a simple form which validates if a
> user is valid or not. i am a newbie and just want to deny unauthorised
> access to a 'members' page. I wish to compare the password entered by
> the user with that they entered into their submitted registration
> form.. however i keep getting a mySQL error message 'query was empty'.
> i was hope someone would know my failings! here is my code:
>
> <?php
>
> $connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc","my
> password here");
>
> $password=$_POST['password'];
>
> mysql_select_db("sjcdb",$connection) or die("failed!");
>
> $sql = mysql_query("SELECT * FROM users WHERE password = '$password'");
>
> $result = mysql_query($sql)or die(mysql_error());
This should be:
$sql = "SELECT * FROM users WHERE password = '$password'";
$result = mysql_query($sql) or die(mysql_error());
--
Sandman[.net]
Sandman
> hey guys, i have been working on a simple form which validates if a
> user is valid or not. i am a newbie and just want to deny
unauthorised
> access to a 'members' page. I wish to compare the password entered
by
> the user with that they entered into their submitted registration
> form.. however i keep getting a mySQL error message 'query was
empty'.
> i was hope someone would know my failings! here is my code:
>
> ?php
>
> $connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc","my
> password here");
>
> $password=$_POST['password'];
>
> mysql_select_db("sjcdb",$connection) or die("failed!");
>
> $sql = mysql_query("SELECT * FROM users WHERE password =
'$password'");
>
> $result = mysql_query($sql)or die(mysql_error());
>