Hello Andy, Thursday, March 25, 2004, 11:57:09 AM, you wrote:
AB> SELECT COUNT(username) AS hits FROM users WHERE ..." AB> dont know because then how would i verify that the valid user was logged in AB> or if they typed the wrong stuff in?? Because it works like this: SELECT COUNT(username) AS hits FROM users WHERE username='$u' AND password='$p' So.. if "hits" = 0, then no user with that username and password combination exists. If hits = 1 (or more!) then the user exists and their password matches. MySQL will run a COUNT query much faster than a SELECT, especially if you have the main columns indexes. AB> yikes!! good thing this is just a testing site...how to insert them if AB> $_POST isnt the right way then?? Extract the values before-hand: $username = $_POST['username']; Now run tests on $username. For example - should it be a minimum of 3 characters? If so, use strlen to test this. Should it most certainly not contain HTML? Then run it through strip_tags. Remove any extra spaces that might be entered with trim(). Etc etc - you get the idea :) The final $username can be fed into your query far more safely than before. AB> Can we disagree here? if i take my original query (at the top of this email) AB> and assign the result of it to a variable $UserExists like we did above and AB> test it: AB> if($UserExists) {//assuming the server found anything to start with AB> echo $UserExists; AB> //fortunately the server found a match somewhere because AB> //the result of printing $UserExists is "Resource id #4" This doesn't mean the server found a match, it means your query didn't have any SQL syntax errors in it. An empty set is still a valid resource, but it doesn't mean the given user does (or does not) exist. AB> now if i just did: select * from users for num_of_rows i would get 3 for an AB> answer because there are 3 rows in the table... and the "else" part would AB> never be used... You're not counting how many users are in the table, you're counting to see if the username and password you gave exists, like so: SELECT * FROM users WHERE username='$username' AND password='$password' Then you check mysql_num_rows. It will equal 0 if no user was found matching your combination, or it will return a number. If you have set your table so that Username must be unique (which would be a sensible thing to do) then it could only ever return a 0 or a 1. AB> "Sometimes if this resource identifier equals the value of 1 then a loose AB> comparison to "true" might exist, but only because PHP is determining this AB> value as such, not because it really is a true boolean value." AB> if that is so, then how do you explain the above?? Like I said, PHP is turning your resource identifier into a boolean and assuming anything > 0 is TRUE. AB> not if the comparison between the username/pwd from the form and the db are AB> different...then they wouldnt be the same thing (thats why i compare the AB> username against the password) The MySQL query function doesn't care about the query itself, it's just a means to pass it to the database. The result doesn't contain any row information at all, just a resource which PHP uses to retrieve the data via further functions. See the following code I just wrote to double-check this: First I created a MySQL database + table as such: CREATE DATABASE test CREATE TABLE `users` (`username` VARCHAR (30), `password` CHAR (32)) INSERT INTO users (username, password) VALUES ('rich', 'e1bfd762321e409cee4ac0b6e841963c') INSERT INTO users (username, password) VALUES ('andy', '81c3b080dad537de7e10e0987a4bf52e') There we have 2 users (rich and andy), the passwords are MD5 hashes of "php" and "mysql". I.e. the password for rich is "php" and andy is "mysql". You can save the following HTML/PHP into a file somewhere in your web directory, it should run without modification other than perhaps the MySQL server/username/password. -- Cut from here -- <html> <head> <title>MySQL Test</title> </head> <body> <form action="<?=$_SERVER['PHP_SELF']?>" method="post"> Username: <input type=text name="username"><br> Password: <input type=text name="password"><br> <input type=submit> </form> <?php mysql_connect('localhost','root',''); mysql_select_db('test'); $username = $_POST['username']; $password = $_POST['password']; $sql = "SELECT * FROM users WHERE username='$username' AND password=MD5('$password')"; if (isset($_POST['username'])) { $result = mysql_query($sql); echo $result . "<br>"; } echo "<pre>"; print_r($_POST); echo "</pre>"; echo "Rows Returned: " . mysql_num_rows($result) . "<br>"; echo "Comparing \$result to TRUE: if (\$result) : <br>"; if ($result) { echo "Valid user"; } else { echo "Error?"; } ?> </body> </html> -- End here -- Now if what you're saying is correct, the final "if result()" block should only print "valid user" if the user exists in the database, right? For me it'll print "valid user" no matter what I do because the query is always valid and that is all it's checking. If I enter a valid username and password combo the result is reflected in mysql_num_rows, as shown in the code. Unless I have missed something significant from your original code/query I'm at a complete loss as to how the above can give you any kind of different result? -- Best regards, Richard Davey http://www.phpcommunity.org/wiki/296.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php