...

View Full Version : MySQL fetch row problem



xGIHavoc
12-19-2006, 08:14 PM
Hiya, I'm making a login script and have come pretty far but can't get this mysql fetch row statement to function properly. Here is my code that links to it.



$check = mysql_query("SELECT username, password, level FROM users WHERE username = '".$_POST['uname']."'") or die(mysql_error());
$checknumrow = mysql_num_rows($check);

if ($checknumrow == 0)
{
die('That username does not exist in our database.');
}

$info = mysql_fetch_row($check);

$_POST['passwd'] = stripslashes($_POST['passwd']);
$info['password'] = stripslashes($info['password']);
$_POST['passwd'] = md5($_POST['passwd']);

if ($_POST['passwd'] != $info['password'])
{
die('Incorrect password, please try again.');
}


When I try logging in with the correct password it says incorrect password. :/

I don't think I'm using it correctly but how would I make it be able to execute the code below it? Thanks in advanced. :)

Tyree
12-19-2006, 08:34 PM
First, I'd reduce all this to a simpler bit:


$_POST['passwd'] = stripslashes($_POST['passwd']);
$info['password'] = stripslashes($info['password']);
$_POST['passwd'] = md5($_POST['passwd']);


To...


$pword = md5(stripslashes($_POST['passwd']));
$matchPword = stripslashes($info['password']);


I'm assuming your password in your db table is stored in md5 format?

xGIHavoc
12-19-2006, 08:40 PM
I'm assuming your password in your db table is stored in md5 format?
Yes it is.

Tyree
12-19-2006, 08:46 PM
Actually, I don't see any reason why you need to run stripslashes on your posted password. It shouldn't have any unneeded slashes in it. You may want to add trim() to it though. That'll take off any additional whitespace on either end of the password string. Like:


$pword = md5(trim($_POST['passwd']));


Otherwise, I don't see any reason that this code wouldn't work if your password is sotred in md5 format.

Try the changes I suggested and see what happens.

xGIHavoc
12-19-2006, 08:51 PM
Nope, didn't work. I think the problem is on these lines:

$info = mysql_fetch_row($check);
and
if ($_POST['passwd'] != $info['password'])

Brandoe85
12-19-2006, 08:53 PM
You may even want to save yourself a little work and alter your query to check for password as well, then all you need is your mysql_num_rows check.
if rows > 0 you are logged in, else login failed.

good luck;

Tyree
12-19-2006, 08:54 PM
switch from mysql_fetch_row to mysql_fetch_assoc. That'll give you the field names as keys.

Brando's right though...could save you a lot!

xGIHavoc
12-19-2006, 09:12 PM
Well, I have the rest done so I don't need to worry about more work, just the little snippet ;)

I was originally using the PEAR:: DB classes but since my host doesn't support it and I'm not only making this for myself, I want to convert it to plain MySQL. This is the only part I've had trouble in.

Originally I had this and it worked fine:


$check = $db_object->query("SELECT username, password, level FROM users WHERE username = '".$_POST['uname']."'");

if (DB::isError($check) || $check->numRows() == 0) {
die('That username does not exist in our database.');
}

$info = $check->fetchRow();

$_POST['passwd'] = stripslashes($_POST['passwd']);
$info['password'] = stripslashes($info['password']);
$_POST['passwd'] = md5($_POST['passwd']);

if ($_POST['passwd'] != $info['password']) {
die('Incorrect password, please try again.');
}


But since I no longer can use the PEAR:: DB classes I can't use that anymore. :(

If I can get this one part to work, the rest is fine and easy to convert. ;)

Tyree
12-19-2006, 09:20 PM
What brando suggested is gold. That's your ticket. There's no reason it shouldn't work.


$uname = trim($_POST['uname']);
$passwd = md5(trim($_POST['passwd']));

$check = mysql_query("SELECT username, password, level FROM users WHERE username = '$uname' AND password='$passwd'") or die(mysql_error());
$checknumrow = mysql_num_rows($check);

if ($checknumrow == 0)
{
die('That username does not exist in our database.');

} else {

User is good to go!

}

xGIHavoc
12-19-2006, 09:34 PM
Ah, that helped a great bunch. Thanks guys, at first I didn't get what you meant Brandoe.

Since I wanted two checks like the previous version, one for the username and one for the password... I did this:



$check1 = mysql_query("SELECT username FROM users WHERE username = '".$_POST['uname']."'") or die(mysql_error());
$check1numrow = mysql_num_rows($check1);

if ($check1numrow == 0)
{
die('That username does not exist in our database.');
}

$password = md5(trim($_POST['passwd']));

$check2 = mysql_query("SELECT password FROM users WHERE password = '".$password."'") or die(mysql_error());
$check2numrow = mysql_num_rows($check2);

if ($check2numrow == 0)
{
die('Incorrect password, please try again.');
}

Tyree
12-19-2006, 09:37 PM
Cool cool...glad it worked!



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum