PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
$query = "SELECT * FROM users WHERE username='". $u ."' AND password=PASSWORD('". $p ."')";
That's what I think might caused the error... I had faced the similar error recently and I vaguely remember that it had to do with the strings in $query above.
<?
//to be safe always start session on first line
session_start();
function escape_data($data) {
#no need to pass database instance
#if none is supplied assumes last connection
#plus globals are bad
if (get_magic_quotes_gpc()) {
$data = stripslashes($data);
}
$data = htmlentities($data);
$data = mysql_real_escape_string($data);
return $data;
}
#should change $_POST['submit'] to a hidden form element
#try hitting enter in Internet explorer, 'submit' won't exist
if(isset($_POST['submit'])) {
$dbh = mysql_connect ("localhost", "root", "password") or die (mysql_error());
mysql_select_db ("content");
#have a list of required form elements
$required = array(
'username',
'password'
);
$error = '';
#loop through your results and check if they exists
#this way we not only sanitize data, but assign the variables
foreach ($required as $fieldname) {
if (empty($_POST[$fieldname])) {
$error .= '<p class=\'text\'>You forgot to enter your '.$fieldname.'!</p>';
$$fieldname = '';
}
else {
$$fieldname = escape_data($_POST[$fieldname]);
}
}
//no errors were found
if (empty($error)) {
//changed your query to only accept 1 row
//just in case
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password=PASSWORD('$password') LIMIT 1") or die(mysql_error());
//check if a row has been found
if (mysql_num_rows($result) == 1) {
$row = mysql_fetch_assoc($result);
//make sure you quote your name indices
$_SESSION['name'] = $row['name'];
$_SESSION['userid'] = $row['userid'];
header ('Location: http://www.vividgamers.com/sessions/index.php');
exit;
}
}
//check to see if $error is not empty
//if errors exist display it
}
//show form here
?>