some php sql help needed

[daktarie]

php Mysql for dummies and google got me going but now im stuck

the database is oke but i made a error in the query some where it needs to control if user and password combination exists
im puzzeling for 2 day's now and dont get it to run right.
when it runs it go's direct tho the ELSE statement
and display's the wrong blblblaaaaaa text
so my gues is i have the query wrong but cant figure out what.
any help would be great

PHP Code:


<title>Untitled Document</title>
</head>

<body>
<?php

// data base access
include('xxxx');
 


mysql_connect($host, $username, $password)or die(mysql_error());
mysql_select_db($database)or die(mysql_error());

$db_name="daktarie_GPRO";
$tbl_name="registered_members";

$name=$_POST['username'];
$password=$_POST['password'];

$sql = 'SELECT * FROM `registered_members` WHERE name=\'".$name."\' and password=\'".$password."\'""';
$result=mysql_query($sql);

if($count==1){

$_SESSION['username'] = $name; 
$_SESSION['password'] = $password;
header("location:login_success.php");
}

else {
echo "<center><font size='5'>Wrong password or username";
}

?> 
</body>
</html>

[DJHolliday]

I'm missing a line here.
Something like:
'$count = mysql_num_rows($result)'

Otherwise I don't see any relation between your SQL Statement and your $count variable.
But maybe I'm missing something else here.

[flinx]

I'm missing a line here.
Something like:
'$count = mysql_num_rows($result)'

Otherwise I don't see any relation between your SQL Statement and your $count variable.
But maybe I'm missing something else here.

True.

And there's something wrong with the query string too. You start the string with a single quote, and close it with a double quote when you want to add the $name and $password. Just use double quotes at the beginning and the end of the whole string. That way PHP will substitute the two variables with their value:

PHP Code:

$sql = "SELECT * FROM registered_members WHERE name='$name' and password='$password'"; 


Another thing: never use user inserted values in your queries without validation:

PHP Code:

$name=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']); 


One last thing (though maybe the book will talk about that later on): never save passwords in plaintext. Save them encrypted, for example using the MD5 function.
In that case, you would have something like this to get the $password:

PHP Code:

$password=md5(mysql_real_escape_string($_POST['password'])); 


[Slothie]

Quicknote: IF you're gonna md5 it, you don't have to escape it. I have never seen a non-escaped md5 hash.

[daktarie]

I'm missing a line here.
Something like:
'$count = mysql_num_rows($result)'

Otherwise I don't see any relation between your SQL Statement and your $count variable.
But maybe I'm missing something else here.

yup your right i posted on accedent the wrong version
i edited the sugested parts but still with the same result i hate it that i just canrt find out why

[daktarie]

im getting a bit closer to solving the problem.

now i get this error

Parse error: syntax error, unexpected T_VARIABLE in /home/daktarie/public_html/checklogin.php on line 22

22 is this line $count = mysql_num_rows($result)
but the error must be above it i gues

so im missing something but im taping in the blind what it is :dunno:
plz help this old guy is running out of paracetemol

PHP Code:

<?php

//database acces
include(xxxxx);
 


mysql_connect($host, $username, $password)or die(mysql_error());
mysql_select_db($database)or die(mysql_error());

$db_name="daktarie_GPRO";
$tbl_name="registered_members";

$name=mysql_real_escape_string($_POST['myname']);
$password=mysql_real_escape_string($_POST['mypassword']);  

$sql = "SELECT * FROM registered_members WHERE myname='$name' and mypassword='$password'";
$result=mysql_query($sql);

if(!$result){die(mysql_error()

$count = mysql_num_rows($result)



if($count==1){

$SESSION ['myname'] = $name; 
$SESSION_ ['mypassword'] = $password;
header("location:member_page.php");
}

else {
echo "<center><font size='5'>Wrong password or username";
}

?>

[DefecTalisman]

Ok, I could be far from wrong here, but shouldnt it look more like:

PHP Code:

<?php 

....

$result=mysql_query($sql); 

if(!$result)
{
 die(mysql_error() );
}
else
{
 $count = mysql_num_rows($result);
}

...

?>

[Cj555]

it should be

PHP Code:

$_SESSION['myname'] = $name;
$_SESSION['mypassword'] = $password; 


as opposed to what youve written with _'s all over the place...
Edit:
and

PHP Code:

if(!$result){die(mysql_error() 


is wrong

should be...

PHP Code:


if(!$result)
die(mysql_error()); 


[daktarie]

thanx guys that error check was the part causing the error got it works now

[mvmusic]

regarding escaping strings: if you are going to use mysql_real_escape_string, do stripslashes() first (unless you have PHPv3). magic_quotes_gpc are enabled for v2 and v3 which could cause frustration later on