Page 1 of 1

Control Structure help..

Posted: Wed Oct 30, 2002 4:54 pm
by Tom
Hey all,
This PHP newb has finally created his own php/mysql news script! ::Pats self on back:: So anyway, all is well with it besides checking to see if the user put in the right password.
Here's the code:

Code: Select all

<?PHP 
  mysql_connect("localhost","---","---");
  mysql_select_db("users");
  $getuser = mysql_query("SELECT * FROM userinfo WHERE     
  username='$user'");

      While($rows = mysql_fetch_array($getuser)) &#123;
        $username = $rows&#1111;username];
        $password = $rows&#1111;password];
       &#125;
  mysql_close();
  
 If($user == $username && $pass == $password) &#123;
  mysql_connect("localhost","---","---");
  mysql_select_db("news");
  $insert = "INSERT INTO posts VALUES 
  ('$id', '$user', '$title', '$date', '$time', '$body')";
  mysql_query($insert);
  echo "Successfully posted! ---> <A Href="news.php">Click to go to news.php</a>";
  mysql_close();
 &#125; 
 else &#123;Echo "Sorry, It looks like you've entered the wrong username  
 and/or password";&#125;
?>

It works fine when A)Someone doesn't enter a username, but enters a password, B) When someone enters a password and not a username, and C) When someone enters a username that doesn't exist. That just leaves out one thing. When someone doesnt enter a username OR a password, the if() statement equals true and go's ahead and posts. Why is this? Can anyone give me some pointers on correcting this?

Thanks in advance,
Tom

Posted: Wed Oct 30, 2002 5:01 pm
by volka
try

Code: Select all

$query = "SELECT * FROM userinfo WHERE username='$user' AND password='$pass'";
$getuser = mysql_query($query) or die(mysql_error());
if ( $rows = mysql_fetch_array($getuser)) )
   // login successful
else
   // login failed
let mysql do the work ;)
besides: unless you defined a constant username replace
$username = $rows[username]; by
$username = $rows['username'];
or you will get a Notice: Use of undefined constant username - assumed 'username' in whatever.php on line xyz

Hmm..

Posted: Wed Oct 30, 2002 7:57 pm
by Tom
Okay..I think I have this solved.

Check it out -

Code: Select all

<?PHP 
  mysql_connect("localhost","Tom","tom");
  mysql_select_db("users");
  $getuser = mysql_query("SELECT * FROM userinfo WHERE username='$user'");

      while ($rows = mysql_fetch_array($getuser)) &#123;
        $username = $rows&#1111;'username'];
        $password = $rows&#1111;'password'];
       &#125;
  mysql_close();
  
 If($user !== $username && $pass !== $password) &#123;echo "Sorry, You must've entered the wrong username and/or password.";&#125;
 Elseif($user == $username && $pass == $password) &#123;
  mysql_connect("localhost","Tom","tom");
  mysql_select_db("news");
  $insert = "INSERT INTO posts VALUES('$id', '$user', '$title', '$date', '$time', '$body')";
  mysql_query($insert);
  echo "Successfully posted! ---> <A Href="news.php">Click to go to news.php</a>";
  mysql_close();
 &#125;
 Else&#123;echo "Sorry, You must've entered the wrong username and/or password";&#125;
?>
Take it easy,
Tom

Posted: Wed Oct 30, 2002 8:11 pm
by volka
If($user !== $username && $pass !== $password)
is true only if user AND pass are wrong but you want

Code: Select all

if($user !== $username || $pass !== $password)
I'm still convinced that passing both parameters to mysql's WHERE-clause is the better way, but anyway ;)

Hmm

Posted: Wed Oct 30, 2002 8:26 pm
by Tom
Well I'm not sure.. because when neither the $pass text box nor the $user text box were filled in, it still posted..And if neither had a value, therefor making them not equal to $username or $password, that line would stop it from posting, wouldn't it?

Maybe I'll use the mysql WHERE clause..I'm still trying to get the hang of things as far as php/mysql go.

Take it easy, -Tom

Posted: Wed Oct 30, 2002 8:55 pm
by volka
if neither user nor [/i]password[/i] is provided by the user/client your query looks like

Code: Select all

SELECT * FROM userinfo WHERE username=''
probably none of the records match that, so
$username = $rows['username'];
$password = $rows['password'];
is never called, all four variable are undefined when

Code: Select all

if($user !== $username || $pass !== $password)
is processed. Try this little script

Code: Select all

&lt;html&gt;&lt;body&gt;&lt;?php 
if($user !== $username || $pass !== $password)
	echo "that's what you expect";
else
	echo "but this happens";
?&gt;&lt;/body&gt;&lt;/html&gt;
your server's errorlog probably contains lots of Notice: Undefined variable: user in ....

Posted: Wed Oct 30, 2002 9:34 pm
by Tom
So about letting MySQL do the work -- I came up with this:

Code: Select all

<?PHP 
  mysql_connect("localhost","Tom","tom");
  mysql_select_db("users");
  $getuser = mysql_query("SELECT * FROM userinfo WHERE username='$user' AND password='$pass'");

      If($rows = mysql_fetch_array($getuser)) &#123;
        $username = $rows&#1111;'username'];
        $password = $rows&#1111;'password'];
       
  mysql_connect("localhost","Tom","tom");
  mysql_select_db("news");
  $insert = "INSERT INTO posts VALUES('$id', '$user', '$title', '$date', '$time', '$body')";
  mysql_query($insert);
  echo "Successfully posted! ---> <A Href="news.php">Click to go to news.php</a>";
  mysql_close();
 &#125;
 Else&#123;echo "Sorry, You must've entered the wrong username and/or password";&#125;
?>
It works, but is it what you were talking about when you told me to let mysql do the work?

By the way..does the line

Code: Select all

If($rows = mysql_fetch_array($getuser)) &#123;
mean "If mysql can create an array of whatever $getuser means, do this"?
lol..I'm a weirdo. :oops:

Take it easy,
Tom

Posted: Wed Oct 30, 2002 9:46 pm
by volka
when a SELECT-query has been successful there is a resultset for this query that can contain 0 to N records.
You retrieve those records one by one e.g. with mysql_fetch_array.
If there is no recordset left mysql_fetch_array will return FALSE.

So if ($rows = mysql_fetch_array($getuser)) !== FALSE there was a recordset with the give user/password-combination.
If there is no such recordset the query will be successful, too (hopefully) but mysql_fetch_array will return FALSE and the if-clause fails --> no login

Ohhh

Posted: Wed Oct 30, 2002 10:08 pm
by Tom
Oh All right. Thanks for telling me this and saving me a little bit of time :D

Take it easy,
Tom