mysql select problems

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
X_Citer
Forum Newbie
Posts: 10
Joined: Thu Jul 12, 2007 11:18 pm

mysql select problems

Post by X_Citer »

hello again... yet another problem with my mysql syntax... this code appears to work as in there are no errors however when it echos the variable $check_user it echos "resource id #2" im not sure why it is echoing this.

Code: Select all

$username=$_POST['login_name'];
$pass=$_POST['login_pass'];
$con=mysql_connect("Localhost", "root", "alexander");

	mysql_select_db("hosting", $con) or die(mysql_error());
	$sql="SELECT username FROM accounts WHERE username= '".$username."'";
	$check_user=mysql_query($sql) or die(mysql_error());

	echo $check_user;

mysql_close($con);
any help is appreciated
Thanks
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Post by aceconcepts »

So, what's your problem?

You haven't actually "fetched" anything.

Try:

Code: Select all

$username=$_POST['login_name'];
$pass=$_POST['login_pass'];
$con=mysql_connect("Localhost", "root", "alexander");

        mysql_select_db("hosting", $con) or die(mysql_error());
        $sql="SELECT username FROM accounts WHERE username= '".$username."'";
        $check_user=mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($check_user)>0)
{        
$row=mysql_fetch_array($check_user);

        echo $row['field_name'];
}
else
{
echo "No record found!";
}

mysql_close($con);
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

$username within your SQL statement is written wrong. replace:

Code: Select all

$sql="SELECT username FROM accounts WHERE username= '".$username."'";
with...

Code: Select all

$sql="SELECT username FROM accounts WHERE username= '$username'";
and see what happens.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

iknownothing wrote:$username within your SQL statement is written wrong. replace:

Code: Select all

$sql="SELECT username FROM accounts WHERE username= '".$username."'";
with...

Code: Select all

$sql="SELECT username FROM accounts WHERE username= '$username'";
and see what happens.
It's not wrong.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

The code is vulnerable to SQL Injection on both fields, and doesn't in fact check for password validity. mysql_real_escape_string() and AND `password`='$sPassword' will help.
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

aceconcepts is right when you need to return something. "resource id #2" indicates that a result set has been found... In otherwords your SQL is correct. Here are some useful links...
mysql_fetch_assoc (my preference)
mysql_fetch_array almost the same as the first but not quite
The examples cover the complete send query->fetch results methodology


Mordred is also right that you have no security here. Read this link mysql_real_escape_string. It gives an example of what is known as an SQL injection attack. You should never trust any information coming from users, either in $_GET or $_POST. Bear in mind $_GET is easily modified. An example is an id.. Edit ID 10 which could for example have a link http://www.mypage.com/edit.php?id=10. Someone can easily change the 10 to another item and potentially change something which they should have no access to. $_POST values are more secure but not infallible. It is relatively easy to change form values sent if you know what you are doing but normally requires an active effort unlike the $_GET value.
X_Citer
Forum Newbie
Posts: 10
Joined: Thu Jul 12, 2007 11:18 pm

Post by X_Citer »

thanks very much that has corrected the problem... new code for my login script works perfectly.
Post Reply