www.webdeveloper.com
Results 1 to 3 of 3

Thread: login form - how to match form data with the data in database.

Hybrid View

  1. #1
    Join Date
    Jun 2014
    Posts
    14

    login form - how to match form data with the data in database.

    Im trying to make a log in form in PHP and Im stuck in the part where it matches the value filled by the user aginst the data stored in the database(MySql). Im not sure where Im making error as Im new to PHP so please help .

    <?php

    include("dbinfo.inc.php");
    $con=mysql_connect(localhost,$username,$password);
    @mysql_select_db($database) or die( "Unable to select database");
    $query="SELECT * FROM agents";
    $result=mysql_query($query) or die(mysql_error());
    $num=mysql_numrows($result);
    //print $num;

    if($num > 0)
    {
    $sql = "SELECT agent FROM agents WHERE agent='$_POST[agent1]'
    AND street='$_POST[street1]'";
    $result2 = mysql_query($sql) or die("Query died: fpassword");
    $num2 = mysqli_num_rows($result2);
    //print $num2;
    }
    if($num2 > 0) //password matches
    {
    echo "match it is !!";
    }
    ?>
    Explanation: I want my form to match the data entered by the user in "agent1 and street1" field against the data already stored in the database and if it matches then show me the next page.

    Thanks.

  2. #2
    Join Date
    Jul 2013
    Location
    Voorheesville NY USA
    Posts
    878
    1 - post your code properly next time. Read the forum rules first.

    2 - Do NOT use the @operator. Where did you learn this? Especially on a query call which you really MUST check for success before proceeding. Why would one ever want to suppress an error report of a failed operation? Makes no sense. That's like saying "don't tell me if I'm wrong - I'm going to do it anyway."

    3 - When you read up on these functions in the PHP manual (link at top of forum site) did you not see the highlighted box telling you NOT to use the MYSQL_* functions? Use mysqlI or PDO for your db access.

    Now looking at your code:
    You do a query of an entire table 'agents'. Great. But why? You then check if you have any results at all and then you proceed to do a query against the same table again, this time only looking for a specific agent value. Great - that's more like it except one should never use unsanitized data as in input argument in a query. You need to use prepared queries (not avail btw in MySQL_* extension) to be safe. You then check the number of rows returned using an entirely different extension's function (mysqli). Why switch horses in mid-script? And lastly - if you did not find a row that matches your input values you blame it on a bad password. Why do you say that since a password has not been mentioned in your script at all?

    PS - your syntax is wrong on your post references. A PROPER (IMHO) reference to an array (which $_POST is) looks like: $_POST['index']. The index of an associative array should be in quotes unless it is a variable or a constant name.

  3. #3
    Join Date
    May 2014
    Posts
    9
    Hey there,

    As mentioned above by ginerjm there are some poor techniques used, but that's not the issue at hand.

    PHP Code:
    <?php

    include("dbinfo.inc.php");
    $con=mysql_connect(localhost,$username,$password);
    @
    mysql_select_db($database) or die( "Unable to select database"); 
    $query="SELECT * FROM agents";
    $result=mysql_query($query) or die(mysql_error());
    $num=mysql_numrows($result); 
    //print $num;

    if($num 0)
    {
    $sql "SELECT agent FROM agents WHERE agent='$_POST[agent1]'
    AND street='
    $_POST[street1]'";
    $result2 mysql_query($sql) or die("Query died: fpassword");
    $num2 mysqli_num_rows($result2);
    //print $num2;
    }
    if(
    $num2 0//password matches
    {
    echo 
    "match it is !!";
    }
    ?>
    To get to the actual issue, you're query needs to be able to find the right row. First, you're using both MySQL and MySQLi. Ditch MySQL since it's deprecated and MySQLi is better.

    PHP Code:
    // This adds slashes to apostrophes so your query will work properly. 
    $agent mysqli_real_escape_string($con$_POST['agent1']); 
    $street mysqli_real_escape_string($con$_POST['street1']);

    // If there is an error in the query, this will kill your script and tell you what the error is so you can fix it immediately.
    $sql mysqli_query($con"SELECT agent FROM agents WHERE agent='$agent' AND street='$street'") or die(mysqli_error($con)); 
    Hope this helps.


    Kalob
    Last edited by jedaisoul; 08-01-2014 at 05:50 PM. Reason: advertising link removed

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles