Page 1 of 1

Problem with Query + PHP

Posted: Wed Jul 11, 2007 3:11 pm
by s0ul@peace
I'm having trouble getting this code to work, specfically getting a query to find if the username entered into the html text input has already registered their first name last name and company:

Question I guess is... How do I determin via a mysql query whether or not a database row has certain fields defined. If they do, have code do one thing, if they arn't defined, ahve the php code do another thing.

At this point, I need people who DONT have a first name last name and company defined in the database, be re-directed to vip-information.php after they login.

If they arleady have these fields, I need them to be redirected to vip-area.php

This is not working, anybody know why?:

Code: Select all

$query4 = "SELECT first_name, last_name, company FROM vip WHERE username='$_POST[username_register]'"; 
                $result4 = mysql_query($query4); 
                 
                    if (mysql_num_rows($result4)<1){ 
                        session_start(); 
                        $_SESSION['Username'] = $_POST[username_register]; 
                        $_SESSION['Password'] = $_POST[password_register]; 
                        header ("Location: vip-information.php"); 
                    }else{ 
                 
            $query3 = "UPDATE vip SET password='$_POST[password_register]' WHERE username='$_POST[username_register]' LIMIT 1"; 
            $result3 = mysql_query($query3); 
             
            session_start(); 
            $_SESSION['Username'] = $_POST[username_register]; 
            $_SESSION['Password'] = $_POST[password_register]; 
            header ("Location: vip-area.php"); 
                    } 
            }else{ 
                $error4 = "That account already has a Username and Password. Please Login"; 
            } 
            } 
        } 
    }

Posted: Wed Jul 11, 2007 3:23 pm
by feyd
Your first query constrains selection on the username alone. Should it not constrain on first-name, last-name and company instead or as well?

Your second query allows someone to reset a user's password without challenge. Are you sure you want this to happen?

I'm guessing you're developing with E_NOTICE off as you should be firing at least four notices. I also see SQL injection opportunities with your apparently blind usage of user submitted data without filtering, validation and escaping. Lastly, header() based redirection needs to use a full URL, http:// and all.