Page 1 of 1
mysql select problems
Posted: Mon Aug 20, 2007 4:09 am
by X_Citer
hello again... yet another problem with my mysql syntax... this code appears to work as in there are no errors however when it echos the variable $check_user it echos "resource id #2" im not sure why it is echoing this.
Code: Select all
$username=$_POST['login_name'];
$pass=$_POST['login_pass'];
$con=mysql_connect("Localhost", "root", "alexander");
mysql_select_db("hosting", $con) or die(mysql_error());
$sql="SELECT username FROM accounts WHERE username= '".$username."'";
$check_user=mysql_query($sql) or die(mysql_error());
echo $check_user;
mysql_close($con);
any help is appreciated
Thanks
Posted: Mon Aug 20, 2007 4:20 am
by aceconcepts
So, what's your problem?
You haven't actually "fetched" anything.
Try:
Code: Select all
$username=$_POST['login_name'];
$pass=$_POST['login_pass'];
$con=mysql_connect("Localhost", "root", "alexander");
mysql_select_db("hosting", $con) or die(mysql_error());
$sql="SELECT username FROM accounts WHERE username= '".$username."'";
$check_user=mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($check_user)>0)
{
$row=mysql_fetch_array($check_user);
echo $row['field_name'];
}
else
{
echo "No record found!";
}
mysql_close($con);
Posted: Mon Aug 20, 2007 6:07 am
by iknownothing
$username within your SQL statement is written wrong. replace:
Code: Select all
$sql="SELECT username FROM accounts WHERE username= '".$username."'";
with...
Code: Select all
$sql="SELECT username FROM accounts WHERE username= '$username'";
and see what happens.
Posted: Mon Aug 20, 2007 6:19 am
by VladSun
iknownothing wrote:$username within your SQL statement is written wrong. replace:
Code: Select all
$sql="SELECT username FROM accounts WHERE username= '".$username."'";
with...
Code: Select all
$sql="SELECT username FROM accounts WHERE username= '$username'";
and see what happens.
It's not wrong.
Posted: Mon Aug 20, 2007 7:07 am
by Mordred
The code is vulnerable to SQL Injection on both fields, and doesn't in fact check for password validity. mysql_real_escape_string() and AND `password`='$sPassword' will help.
Posted: Mon Aug 20, 2007 7:24 am
by CoderGoblin
aceconcepts is right when you need to return something. "resource id #2" indicates that a result set has been found... In otherwords your SQL is correct. Here are some useful links...
mysql_fetch_assoc (my preference)
mysql_fetch_array almost the same as the first but not quite
The examples cover the complete send query->fetch results methodology
Mordred is also right that you have no security here. Read this link
mysql_real_escape_string. It gives an example of what is known as an SQL injection attack. You should never trust any information coming from users, either in $_GET or $_POST. Bear in mind $_GET is easily modified. An example is an id.. Edit ID 10 which could for example have a link
http://www.mypage.com/edit.php?id=10. Someone can easily change the 10 to another item and potentially change something which they should have no access to. $_POST values are more secure but not infallible. It is relatively easy to change form values sent if you know what you are doing but normally requires an active effort unlike the $_GET value.
Posted: Mon Aug 20, 2007 1:09 pm
by X_Citer
thanks very much that has corrected the problem... new code for my login script works perfectly.