Posted: Mon Jan 15, 2007 1:02 pm
Check $result to make sure it's not false....
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Code: Select all
if($result==false)
{
printf("False result.");
}Code: Select all
<?php
$username = $_POST['username']; // '
$password = $_POST['password'];
$sql = "SELECT * FROM user WHERE username='$username' and password='$password'";
// $sql = "SELECT * FROM user WHERE username = '''
// etc
?>Code: Select all
$sql1 = "SELECT * FROM user WHERE username='$username'";
$result1 = mysql_query($sql1);
$sql2 = "SELECT * FROM user WHERE password='$password'";
$result2 = mysql_query($sql2);Code: Select all
<?php
// initialize variables
$errmsg = '';
$row = array();
// Connect to server
$con = mysql_connect("localhost","burnttoa_umonbre","don't_post_passwords");
if (mysql_errno()) {
$errmsg = 'Could not connect:' . mysql_error();
} else {
// Select database.
mysql_select_db("burnttoa_monbre");
if (mysql_errno()) {
$errmsg = 'Could not select:' . mysql_error();
} else {
// Setup and do query
// filter untrusted post variable
$username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);
// escape untrusted post variable
$username = mysql_real_escape_string($_POST['username']);
$sql1 = "SELECT * FROM user WHERE username='$username'";
$result1 = mysql_query($sql1);
if (mysql_errno()) {
$errmsg = 'Query failed:' . mysql_error();
} else {
$row = mysql_fetch_assoc($result);
}
}
}
// now the response
if ($errmsg) {
// error goes here
echo "Error: $errmsg<br/>";
} else {
// success goes here
dump($row);
}
// handy for debugging
function dump($value) {
echo '<pre>' . print_r($value, 1) . '</pre>';
}+1 for snippetsarborint wrote:I see a lot of code like that posted. It is pretty difficult to debug. I think, at least, some basic Structured Programming would be helpful. At a minimum a PHP database script ought to look something like this:No die(), clear logic, thorough error checking, separation of connection and response (reporting an error is also a response), and basic security ...Code: Select all
<?php // initialize variables $errmsg = ''; $row = array(); // Connect to server $con = mysql_connect("localhost","burnttoa_umonbre","don't_post_passwords"); if (mysql_errno()) { $errmsg = 'Could not connect:' . mysql_error(); } else { // Select database. mysql_select_db("burnttoa_monbre"); if (mysql_errno()) { $errmsg = 'Could not select:' . mysql_error(); } else { // Setup and do query // filter untrusted post variable $username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']); // escape untrusted post variable $username = mysql_real_escape_string($_POST['username']); $sql1 = "SELECT * FROM user WHERE username='$username'"; $result1 = mysql_query($sql1); if (mysql_errno()) { $errmsg = 'Query failed:' . mysql_error(); } else { $row = mysql_fetch_assoc($result); } } } // now the response if ($errmsg) { // error goes here echo "Error: $errmsg<br/>"; } else { // success goes here dump($row); } // handy for debugging function dump($value) { echo '<pre>' . print_r($value, 1) . '</pre>'; }