Page 1 of 1
Control Structure help..
Posted: Wed Oct 30, 2002 4:54 pm
by Tom
Hey all,
This PHP newb has finally created his own php/mysql news script! ::Pats self on back:: So anyway, all is well with it besides checking to see if the user put in the right password.
Here's the code:
Code: Select all
<?PHP
mysql_connect("localhost","---","---");
mysql_select_db("users");
$getuser = mysql_query("SELECT * FROM userinfo WHERE
username='$user'");
While($rows = mysql_fetch_array($getuser)) {
$username = $rowsїusername];
$password = $rowsїpassword];
}
mysql_close();
If($user == $username && $pass == $password) {
mysql_connect("localhost","---","---");
mysql_select_db("news");
$insert = "INSERT INTO posts VALUES
('$id', '$user', '$title', '$date', '$time', '$body')";
mysql_query($insert);
echo "Successfully posted! ---> <A Href="news.php">Click to go to news.php</a>";
mysql_close();
}
else {Echo "Sorry, It looks like you've entered the wrong username
and/or password";}
?>
It works fine when A)Someone doesn't enter a username, but enters a password, B) When someone enters a password and not a username, and C) When someone enters a username that doesn't exist. That just leaves out one thing. When someone doesnt enter a username OR a password, the if() statement equals true and go's ahead and posts. Why is this? Can anyone give me some pointers on correcting this?
Thanks in advance,
Tom
Posted: Wed Oct 30, 2002 5:01 pm
by volka
try
Code: Select all
$query = "SELECT * FROM userinfo WHERE username='$user' AND password='$pass'";
$getuser = mysql_query($query) or die(mysql_error());
if ( $rows = mysql_fetch_array($getuser)) )
// login successful
else
// login failed
let mysql do the work

besides: unless you defined a constant username replace
$username = $rows[username]; by
$username = $rows['username'];
or you will get a
Notice: Use of undefined constant username - assumed 'username' in whatever.php on line xyz
Hmm..
Posted: Wed Oct 30, 2002 7:57 pm
by Tom
Okay..I think I have this solved.
Check it out -
Code: Select all
<?PHP
mysql_connect("localhost","Tom","tom");
mysql_select_db("users");
$getuser = mysql_query("SELECT * FROM userinfo WHERE username='$user'");
while ($rows = mysql_fetch_array($getuser)) {
$username = $rowsї'username'];
$password = $rowsї'password'];
}
mysql_close();
If($user !== $username && $pass !== $password) {echo "Sorry, You must've entered the wrong username and/or password.";}
Elseif($user == $username && $pass == $password) {
mysql_connect("localhost","Tom","tom");
mysql_select_db("news");
$insert = "INSERT INTO posts VALUES('$id', '$user', '$title', '$date', '$time', '$body')";
mysql_query($insert);
echo "Successfully posted! ---> <A Href="news.php">Click to go to news.php</a>";
mysql_close();
}
Else{echo "Sorry, You must've entered the wrong username and/or password";}
?>
Take it easy,
Tom
Posted: Wed Oct 30, 2002 8:11 pm
by volka
If($user !== $username && $pass !== $password)
is true only if
user AND
pass are wrong but you want
Code: Select all
if($user !== $username || $pass !== $password)
I'm still convinced that passing both parameters to mysql's WHERE-clause is the better way, but anyway

Hmm
Posted: Wed Oct 30, 2002 8:26 pm
by Tom
Well I'm not sure.. because when neither the $pass text box nor the $user text box were filled in, it still posted..And if neither had a value, therefor making them not equal to $username or $password, that line would stop it from posting, wouldn't it?
Maybe I'll use the mysql WHERE clause..I'm still trying to get the hang of things as far as php/mysql go.
Take it easy, -Tom
Posted: Wed Oct 30, 2002 8:55 pm
by volka
if neither
user nor [/i]password[/i] is provided by the user/client your query looks like
Code: Select all
SELECT * FROM userinfo WHERE username=''
probably none of the records match that, so
$username = $rows['username'];
$password = $rows['password'];
is never called, all four variable are undefined when
Code: Select all
if($user !== $username || $pass !== $password)
is processed. Try this little script
Code: Select all
<html><body><?php
if($user !== $username || $pass !== $password)
echo "that's what you expect";
else
echo "but this happens";
?></body></html>
your server's errorlog probably contains lots of
Notice: Undefined variable: user in ....
Posted: Wed Oct 30, 2002 9:34 pm
by Tom
So about letting MySQL do the work -- I came up with this:
Code: Select all
<?PHP
mysql_connect("localhost","Tom","tom");
mysql_select_db("users");
$getuser = mysql_query("SELECT * FROM userinfo WHERE username='$user' AND password='$pass'");
If($rows = mysql_fetch_array($getuser)) {
$username = $rowsї'username'];
$password = $rowsї'password'];
mysql_connect("localhost","Tom","tom");
mysql_select_db("news");
$insert = "INSERT INTO posts VALUES('$id', '$user', '$title', '$date', '$time', '$body')";
mysql_query($insert);
echo "Successfully posted! ---> <A Href="news.php">Click to go to news.php</a>";
mysql_close();
}
Else{echo "Sorry, You must've entered the wrong username and/or password";}
?>
It works, but is it what you were talking about when you told me to let mysql do the work?
By the way..does the line
Code: Select all
If($rows = mysql_fetch_array($getuser)) {
mean "If mysql can create an array of whatever $getuser means, do this"?
lol..I'm a weirdo.
Take it easy,
Tom
Posted: Wed Oct 30, 2002 9:46 pm
by volka
when a SELECT-query has been successful there is a resultset for this query that can contain 0 to N records.
You retrieve those records one by one e.g. with mysql_fetch_array.
If there is no recordset left mysql_fetch_array will return FALSE.
So if ($rows = mysql_fetch_array($getuser)) !== FALSE there was a recordset with the give user/password-combination.
If there is no such recordset the query will be successful, too (hopefully) but mysql_fetch_array will return FALSE and the if-clause fails --> no login
Ohhh
Posted: Wed Oct 30, 2002 10:08 pm
by Tom
Oh All right. Thanks for telling me this and saving me a little bit of time
Take it easy,
Tom