MySQL fetch row problem

xGIHavoc · 12-19-2006, 07:14 PM

Hiya, I'm making a login script and have come pretty far but can't get this mysql fetch row statement to function properly. Here is my code that links to it.

PHP Code:


			
        $check = mysql_query("SELECT username, password, level FROM users WHERE username = '".$_POST['uname']."'") or die(mysql_error());
    $checknumrow = mysql_num_rows($check);
        
    if ($checknumrow == 0)
    {
        die('That username does not exist in our database.');
    }

    $info = mysql_fetch_row($check);

    $_POST['passwd'] = stripslashes($_POST['passwd']);
    $info['password'] = stripslashes($info['password']);
    $_POST['passwd'] = md5($_POST['passwd']);

    if ($_POST['passwd'] != $info['password'])
    {
        die('Incorrect password, please try again.');
    }

When I try logging in with the correct password it says incorrect password. :/

I don't think I'm using it correctly but how would I make it be able to execute the code below it? Thanks in advanced.

Tyree · 12-19-2006, 07:34 PM

First, I'd reduce all this to a simpler bit:

PHP Code:


			
$_POST['passwd'] = stripslashes($_POST['passwd']);

$info['password'] = stripslashes($info['password']);

$_POST['passwd'] = md5($_POST['passwd']);

To...

PHP Code:


			
$pword = md5(stripslashes($_POST['passwd']));

$matchPword = stripslashes($info['password']);

I'm assuming your password in your db table is stored in md5 format?

xGIHavoc · 12-19-2006, 07:40 PM

Quote:

I'm assuming your password in your db table is stored in md5 format?

Yes it is.

Tyree · 12-19-2006, 07:46 PM

Actually, I don't see any reason why you need to run stripslashes on your posted password. It shouldn't have any unneeded slashes in it. You may want to add trim() to it though. That'll take off any additional whitespace on either end of the password string. Like:

PHP Code:


			
$pword = md5(trim($_POST['passwd']));

Otherwise, I don't see any reason that this code wouldn't work if your password is sotred in md5 format.

Try the changes I suggested and see what happens.

xGIHavoc · 12-19-2006, 07:51 PM

Nope, didn't work. I think the problem is on these lines:

PHP Code:


			
$info = mysql_fetch_row($check);

and

PHP Code:


			
    if ($_POST['passwd'] != $info['password'])

Brandoe85 · 12-19-2006, 07:53 PM

You may even want to save yourself a little work and alter your query to check for password as well, then all you need is your mysql_num_rows check.
if rows > 0 you are logged in, else login failed.

good luck;

Tyree · 12-19-2006, 07:54 PM

switch from mysql_fetch_row to mysql_fetch_assoc. That'll give you the field names as keys.

Brando's right though...could save you a lot!

xGIHavoc · 12-19-2006, 08:12 PM

Well, I have the rest done so I don't need to worry about more work, just the little snippet

I was originally using the PEAR:: DB classes but since my host doesn't support it and I'm not only making this for myself, I want to convert it to plain MySQL. This is the only part I've had trouble in.

Originally I had this and it worked fine:

PHP Code:


			
    $check = $db_object->query("SELECT username, password, level FROM users WHERE username = '".$_POST['uname']."'");

    if (DB::isError($check) || $check->numRows() == 0) {
        die('That username does not exist in our database.');
    }

    $info = $check->fetchRow();

    $_POST['passwd'] = stripslashes($_POST['passwd']);
    $info['password'] = stripslashes($info['password']);
    $_POST['passwd'] = md5($_POST['passwd']);

    if ($_POST['passwd'] != $info['password']) {
        die('Incorrect password, please try again.');
    }

But since I no longer can use the PEAR:: DB classes I can't use that anymore.

If I can get this one part to work, the rest is fine and easy to convert.

Tyree · 12-19-2006, 08:20 PM

What brando suggested is gold. That's your ticket. There's no reason it shouldn't work.

PHP Code:


			
$uname = trim($_POST['uname']); 

$passwd = md5(trim($_POST['passwd'])); 



$check = mysql_query("SELECT username, password, level FROM users WHERE username = '$uname' AND password='$passwd'") or die(mysql_error());

    $checknumrow = mysql_num_rows($check);

        

    if ($checknumrow == 0)

    {

        die('That username does not exist in our database.');



    } else {



        User is good to go!



    }

xGIHavoc · 12-19-2006, 08:34 PM

Ah, that helped a great bunch. Thanks guys, at first I didn't get what you meant Brandoe.

Since I wanted two checks like the previous version, one for the username and one for the password... I did this:

PHP Code:


			
    $check1 = mysql_query("SELECT username FROM users WHERE username = '".$_POST['uname']."'") or die(mysql_error());
    $check1numrow = mysql_num_rows($check1);
        
    if ($check1numrow == 0)
    {
        die('That username does not exist in our database.');
    }

    $password = md5(trim($_POST['passwd']));

    $check2 = mysql_query("SELECT password FROM users WHERE password = '".$password."'") or die(mysql_error());
    $check2numrow = mysql_num_rows($check2);
        
    if ($check2numrow == 0)
    {
        die('Incorrect password, please try again.');
    }

Tyree · 12-19-2006, 08:37 PM

Cool cool...glad it worked!