C++

Forum

 
PHP

CpluspProgrammer (18)
Hey guys, been working with some PHP lately, and I have ran into a problem with one of my functions. I believe it has something to do with my query, but im not sure. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
function login($f_email, $f_password) {
		
		// this isn't checking, therefore not executing the rest. 
		if($result = mysql_query("SELECT * FROM users WHERE Email = '$f_email' AND Password = 'f_password';")){
			$count = mysql_num_rows($result); 
			while($row = mysql_fetch_assoc($result)) {
				$db_email = $row['Email'];
				$db_password = $row['Password'];
				$db_name = $row['Name'];
			}
			if($count != 0)
			{
				if($f_email == $db_email && $f_password == $db_password)
				{
					session_start();
					$_SESSION['name'] = $db_name;
					$_SESSION['email'] = $db_email;
					header("location: ../profile.php");
				} else {
					echo 'Incorrect username and/or password';
				}
			} else {
				echo 'Account doesn\'t exist.';
			} 
		} else {
			echo 'Failed';
		}
	}
Last edited on
strongdrink (468)
Try putting the $result variable outside of the if statement and var_dump it.

also.. just out of curiosity, why are you posting this question here? :)
ModShop (1149)
You need to add the "$" before "f_password" in the SQL query, and there is no semi-colon at the end. That should make the query valid, provided the input to the function is good and your database is setup properly.
closed account (3hM2Nwbp)
My PHP is a bit rusty, but should it not be
 
 
if($result = mysql_query("SELECT * FROM `users` WHERE `Email` = '" . $f_email . "' AND `Password` = '" . $f_password . "';")){
Last edited on
ModShop (1149)
Variables values will still be substituted in strings created with double quotes ("). Also, in SQL queries, the names of databases, tables and columns do not go in quotes, they stay as they are.
CpluspProgrammer (18)
Still no dice... :(

Sorry lol. Posted here because a lot of people here on these forums seem knowledgeable on the subject of programming.
CpluspProgrammer (18)
Get the errors:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\OnlineDocuments\func\functions.php on line 23

Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\OnlineDocuments\func\functions.php on line 24

if i take out the if statement.
closed account (o3hC5Di1)
Hi there,

The mysql_query function takes 2 arguments, one is your connection resource, the other the query:

1
2
 
$conn = mysql_connect( <connection details> );
mysql_query($conn, <query>);


On a sidenote, I cannot see what you are doing with the $f_email and $f_password variables outside of this function, but if you pass them straight from the user input, this code is vulnerable to SQL injection. This means a malicious attacker could retrieve, delete, or modify anything in your database.
Either escape the output with mysql_real_escape_string(); or, if you are serious about PHP, learn to use PDO (PHP Data Objects), offering you an object oriented way to access databases and eliminating the possibility of SQL injection when used properly.

Hope that helps.

All the best,
NwN
Topic archived. No new replies allowed.