Control Structure help..

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Tom
Forum Newbie
Posts: 20
Joined: Sat Oct 05, 2002 5:24 pm
Location: Southwest FL

Control Structure help..

Post by Tom »

Hey all,
This PHP newb has finally created his own php/mysql news script! ::Pats self on back:: So anyway, all is well with it besides checking to see if the user put in the right password.
Here's the code:

Code: Select all

<?PHP 
  mysql_connect("localhost","---","---");
  mysql_select_db("users");
  $getuser = mysql_query("SELECT * FROM userinfo WHERE     
  username='$user'");

      While($rows = mysql_fetch_array($getuser)) &#123;
        $username = $rows&#1111;username];
        $password = $rows&#1111;password];
       &#125;
  mysql_close();
  
 If($user == $username && $pass == $password) &#123;
  mysql_connect("localhost","---","---");
  mysql_select_db("news");
  $insert = "INSERT INTO posts VALUES 
  ('$id', '$user', '$title', '$date', '$time', '$body')";
  mysql_query($insert);
  echo "Successfully posted! ---> <A Href="news.php">Click to go to news.php</a>";
  mysql_close();
 &#125; 
 else &#123;Echo "Sorry, It looks like you've entered the wrong username  
 and/or password";&#125;
?>

It works fine when A)Someone doesn't enter a username, but enters a password, B) When someone enters a password and not a username, and C) When someone enters a username that doesn't exist. That just leaves out one thing. When someone doesnt enter a username OR a password, the if() statement equals true and go's ahead and posts. Why is this? Can anyone give me some pointers on correcting this?

Thanks in advance,
Tom
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

try

Code: Select all

$query = "SELECT * FROM userinfo WHERE username='$user' AND password='$pass'";
$getuser = mysql_query($query) or die(mysql_error());
if ( $rows = mysql_fetch_array($getuser)) )
   // login successful
else
   // login failed
let mysql do the work ;)
besides: unless you defined a constant username replace
$username = $rows[username]; by
$username = $rows['username'];
or you will get a Notice: Use of undefined constant username - assumed 'username' in whatever.php on line xyz
Tom
Forum Newbie
Posts: 20
Joined: Sat Oct 05, 2002 5:24 pm
Location: Southwest FL

Hmm..

Post by Tom »

Okay..I think I have this solved.

Check it out -

Code: Select all

<?PHP 
  mysql_connect("localhost","Tom","tom");
  mysql_select_db("users");
  $getuser = mysql_query("SELECT * FROM userinfo WHERE username='$user'");

      while ($rows = mysql_fetch_array($getuser)) &#123;
        $username = $rows&#1111;'username'];
        $password = $rows&#1111;'password'];
       &#125;
  mysql_close();
  
 If($user !== $username && $pass !== $password) &#123;echo "Sorry, You must've entered the wrong username and/or password.";&#125;
 Elseif($user == $username && $pass == $password) &#123;
  mysql_connect("localhost","Tom","tom");
  mysql_select_db("news");
  $insert = "INSERT INTO posts VALUES('$id', '$user', '$title', '$date', '$time', '$body')";
  mysql_query($insert);
  echo "Successfully posted! ---> <A Href="news.php">Click to go to news.php</a>";
  mysql_close();
 &#125;
 Else&#123;echo "Sorry, You must've entered the wrong username and/or password";&#125;
?>
Take it easy,
Tom
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

If($user !== $username && $pass !== $password)
is true only if user AND pass are wrong but you want

Code: Select all

if($user !== $username || $pass !== $password)
I'm still convinced that passing both parameters to mysql's WHERE-clause is the better way, but anyway ;)
Tom
Forum Newbie
Posts: 20
Joined: Sat Oct 05, 2002 5:24 pm
Location: Southwest FL

Hmm

Post by Tom »

Well I'm not sure.. because when neither the $pass text box nor the $user text box were filled in, it still posted..And if neither had a value, therefor making them not equal to $username or $password, that line would stop it from posting, wouldn't it?

Maybe I'll use the mysql WHERE clause..I'm still trying to get the hang of things as far as php/mysql go.

Take it easy, -Tom
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

if neither user nor [/i]password[/i] is provided by the user/client your query looks like

Code: Select all

SELECT * FROM userinfo WHERE username=''
probably none of the records match that, so
$username = $rows['username'];
$password = $rows['password'];
is never called, all four variable are undefined when

Code: Select all

if($user !== $username || $pass !== $password)
is processed. Try this little script

Code: Select all

&lt;html&gt;&lt;body&gt;&lt;?php 
if($user !== $username || $pass !== $password)
	echo "that's what you expect";
else
	echo "but this happens";
?&gt;&lt;/body&gt;&lt;/html&gt;
your server's errorlog probably contains lots of Notice: Undefined variable: user in ....
Tom
Forum Newbie
Posts: 20
Joined: Sat Oct 05, 2002 5:24 pm
Location: Southwest FL

Post by Tom »

So about letting MySQL do the work -- I came up with this:

Code: Select all

<?PHP 
  mysql_connect("localhost","Tom","tom");
  mysql_select_db("users");
  $getuser = mysql_query("SELECT * FROM userinfo WHERE username='$user' AND password='$pass'");

      If($rows = mysql_fetch_array($getuser)) &#123;
        $username = $rows&#1111;'username'];
        $password = $rows&#1111;'password'];
       
  mysql_connect("localhost","Tom","tom");
  mysql_select_db("news");
  $insert = "INSERT INTO posts VALUES('$id', '$user', '$title', '$date', '$time', '$body')";
  mysql_query($insert);
  echo "Successfully posted! ---> <A Href="news.php">Click to go to news.php</a>";
  mysql_close();
 &#125;
 Else&#123;echo "Sorry, You must've entered the wrong username and/or password";&#125;
?>
It works, but is it what you were talking about when you told me to let mysql do the work?

By the way..does the line

Code: Select all

If($rows = mysql_fetch_array($getuser)) &#123;
mean "If mysql can create an array of whatever $getuser means, do this"?
lol..I'm a weirdo. :oops:

Take it easy,
Tom
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

when a SELECT-query has been successful there is a resultset for this query that can contain 0 to N records.
You retrieve those records one by one e.g. with mysql_fetch_array.
If there is no recordset left mysql_fetch_array will return FALSE.

So if ($rows = mysql_fetch_array($getuser)) !== FALSE there was a recordset with the give user/password-combination.
If there is no such recordset the query will be successful, too (hopefully) but mysql_fetch_array will return FALSE and the if-clause fails --> no login
Tom
Forum Newbie
Posts: 20
Joined: Sat Oct 05, 2002 5:24 pm
Location: Southwest FL

Ohhh

Post by Tom »

Oh All right. Thanks for telling me this and saving me a little bit of time :D

Take it easy,
Tom
Post Reply