basic table lookup question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mc3
Forum Newbie
Posts: 13
Joined: Thu Jan 24, 2008 5:31 pm

basic table lookup question

Post by mc3 »

I can't figure out what I'm doing wrong here. I've got a form where the user enters their username and password. I'm trying to verify that the password associated with the username matches what the user entered.

But there seems to be something wrong in my code because no matter what the user enters for password, the results of [if ($checkpasswordresult != $pw)] always occur.

Any help is appreciated!

Code: Select all

<?php
 
$con = mysql_connect("**","***","***");
 
mysql_select_db("mydatabase") or die( "Problems connecting to the database...");
 
 
$user = $_POST["user"];
$pw = $_POST["pw"];
$email = $_POST["email"];
 
 
 
 
//check username
 
$checkusername = mysql_query("SELECT user FROM mydatabase WHERE user = '$user'");
 
$numuserrows=mysql_num_rows($checkusername);
 
if ($numuserrows==0)
    {
    echo "Sorry, we can't find that username. Be sure you typed it correctly.";
    die;
        }
 
 
//check password
 
$checkpassword = mysql_query("SELECT pw FROM mydatabase WHERE user = '$user'");
 
$checkpasswordresult = mysql_fetch_object($checkpassword);
 
if ($checkpasswordresult != $pw)
    {
    echo "Password wrong.";
    die;
    }
scottayy| Please use

Code: Select all

and
tags when posting php code in the forums.[/color]
thinsoldier
Forum Contributor
Posts: 367
Joined: Fri Jul 20, 2007 11:29 am
Contact:

Re: basic table lookup question

Post by thinsoldier »

If someone's trying to guess usernames/passwords you don't want to give them hints by confirming a username is correct while the password is wrong. Either they get them both right or they don't get anything but a generic error message ("Username or Password incorrect")

Code: Select all

 
// .... connect to database
 
$user = mysql_real_escape_string($_POST["user"]);
$pw = mysql_real_escape_string($_POST["pw"]);
$email = mysql_real_escape_string($_POST["email"]);
 
$result = mysql_query("SELECT user, pw FROM mydatabase WHERE user = '$user' AND pw='$pw' LIMIT 1");
 
if(mysql_num_rows($result) != 1){die;}
//.... or something along those lines is what I'd do
 
an alternative to lines 4-6:
foreach($_POST as $key=>$value)
{ $$key = mysql_real_escape_string($value); }
google for "variable variables in php"

but to actually answer your question:
you need to look inside of the $checkpasswordresult object for the ->pw part of it and compare that to your $pw var.

if($pw == $checkpasswordresult->pw){ thanks for logging in } else {die;}

try doing:

Code: Select all

echo '<pre>'.print_r($checkpasswordresult).'</pre>';
to see everything inside of your object.
This also works with array variables.
Sometimes it's also very useful to use var_dump in place of print_r.

http://php.net/print_r
http://php.net/var_dump
http://php.net/mysql_fetch_object
http://php.net/mysql_fetch_assoc
http://php.net/mysql_fetch_array
Warning: I have no idea what I'm talking about.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: basic table lookup question

Post by califdon »

mc3 wrote:

Code: Select all

. . .  
 //check username
  
 $checkusername = mysql_query("SELECT user FROM mydatabase WHERE user = '$user'");
  
 $numuserrows=mysql_num_rows($checkusername);
 . . .
 
//check password
 
$checkpassword = mysql_query("SELECT pw FROM mydatabase WHERE user = '$user'");
 
$checkpasswordresult = mysql_fetch_object($checkpassword);
 
if ($checkpasswordresult != $pw)
    {
    echo "Password wrong.";
    die;
    }
In the case of the username, you only needed to check the number of rows returned, which works. In the case of the password, you have to actually examine the data in a field. Your variable $checkpasswordresult is not a single piece of data, it is a "resource" (pointer) to an object, so it can never be equal to a string.

I would suggest making just one query to the database, using both the username and password in the WHERE clause, then if either of them fail to match, you get zero rows returned, and as thinsoldier said, you can merely advise the user that his attempt to login has failed. If, for some reason, you do need to treat an invalid password differently than an invalid username, you could do something like this, still making just one query:

Code: Select all

$sql="SELECT user, pwd FROM myTable WHERE user='$user'";
$result=mysql_query($sql);
if (mysql_num_rows($result)==0) {
    //  no user found
} else {
    $row=$mysql_fetch_array($result);
    $db_user=$row[0];
    $db_pwd=$row[1];
    //  now compare your submitted username and password against these
}
mc3
Forum Newbie
Posts: 13
Joined: Thu Jan 24, 2008 5:31 pm

Re: basic table lookup question

Post by mc3 »

Great advice. Thanks!
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: basic table lookup question

Post by pickle »

Please, please, please do some basic encryption/hashing of the password. Even running it through md5() is better than storing it in plaintext.
Post Reply