Hello Andy,
Thursday, March 25, 2004, 11:57:09 AM, you wrote:
AB> SELECT COUNT(username) AS hits FROM users WHERE ..."
AB> dont know because then how would i verify that the valid user was logged in
AB> or if they typed the wrong stuff in??
Because it works like this:
SELECT COUNT(username) AS hits FROM users WHERE username='$u' AND
password='$p'
So.. if "hits" = 0, then no user with that username and password
combination exists.
If hits = 1 (or more!) then the user exists and their password
matches.
MySQL will run a COUNT query much faster than a SELECT, especially if
you have the main columns indexes.
AB> yikes!! good thing this is just a testing site...how to insert them if
AB> $_POST isnt the right way then??
Extract the values before-hand:
$username = $_POST['username'];
Now run tests on $username.
For example - should it be a minimum of 3 characters? If so, use
strlen to test this. Should it most certainly not contain HTML? Then
run it through strip_tags. Remove any extra spaces that might be
entered with trim(). Etc etc - you get the idea :) The final $username
can be fed into your query far more safely than before.
AB> Can we disagree here? if i take my original query (at the top of this email)
AB> and assign the result of it to a variable $UserExists like we did above and
AB> test it:
AB> if($UserExists) {//assuming the server found anything to start with
AB> echo $UserExists;
AB> //fortunately the server found a match somewhere because
AB> //the result of printing $UserExists is "Resource id #4"
This doesn't mean the server found a match, it means your query didn't
have any SQL syntax errors in it. An empty set is still a valid
resource, but it doesn't mean the given user does (or does not) exist.
AB> now if i just did: select * from users for num_of_rows i would get 3 for an
AB> answer because there are 3 rows in the table... and the "else" part would
AB> never be used...
You're not counting how many users are in the table, you're counting
to see if the username and password you gave exists, like so:
SELECT * FROM users WHERE username='$username' AND
password='$password'
Then you check mysql_num_rows.
It will equal 0 if no user was found matching your combination, or it
will return a number. If you have set your table so that Username must
be unique (which would be a sensible thing to do) then it could only
ever return a 0 or a 1.
AB> "Sometimes if this resource identifier equals the value of 1 then a loose
AB> comparison to "true" might exist, but only because PHP is determining this
AB> value as such, not because it really is a true boolean value."
AB> if that is so, then how do you explain the above??
Like I said, PHP is turning your resource identifier into a boolean
and assuming anything > 0 is TRUE.
AB> not if the comparison between the username/pwd from the form and the db are
AB> different...then they wouldnt be the same thing (thats why i compare the
AB> username against the password)
The MySQL query function doesn't care about the query itself, it's
just a means to pass it to the database. The result doesn't contain
any row information at all, just a resource which PHP uses to retrieve
the data via further functions.
See the following code I just wrote to double-check this:
First I created a MySQL database + table as such:
CREATE DATABASE test
CREATE TABLE `users` (`username` VARCHAR (30), `password` CHAR (32))
INSERT INTO users (username, password) VALUES ('rich',
'e1bfd762321e409cee4ac0b6e841963c')
INSERT INTO users (username, password) VALUES ('andy',
'81c3b080dad537de7e10e0987a4bf52e')
There we have 2 users (rich and andy), the passwords are MD5 hashes of
"php" and "mysql". I.e. the password for rich is "php" and andy is
"mysql".
You can save the following HTML/PHP into a file somewhere in your web
directory, it should run without modification other than perhaps the
MySQL server/username/password.
-- Cut from here --
<html>
<head>
<title>MySQL Test</title>
</head>
<body>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
Username: <input type=text name="username"><br>
Password: <input type=text name="password"><br>
<input type=submit>
</form>
<?php
mysql_connect('localhost','root','');
mysql_select_db('test');
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username='$username' AND
password=MD5('$password')";
if (isset($_POST['username']))
{
$result = mysql_query($sql);
echo $result . "<br>";
}
echo "<pre>";
print_r($_POST);
echo "</pre>";
echo "Rows Returned: " . mysql_num_rows($result) . "<br>";
echo "Comparing \$result to TRUE: if (\$result) : <br>";
if ($result)
{
echo "Valid user";
} else {
echo "Error?";
}
?>
</body>
</html>
-- End here --
Now if what you're saying is correct, the final "if result()" block
should only print "valid user" if the user exists in the database,
right?
For me it'll print "valid user" no matter what I do because the
query is always valid and that is all it's checking.
If I enter a valid username and password combo the result is reflected
in mysql_num_rows, as shown in the code.
Unless I have missed something significant from your original
code/query I'm at a complete loss as to how the above can give you any
kind of different result?
--
Best regards,
Richard Davey
http://www.phpcommunity.org/wiki/296.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
