0

Hello,

I have a members area on my website. I'm trying to check if a user with a specific username and id has logged in, and then echo a string of text on page B (members area page) if its them.

The user logs in on page A (login page). Their details are then carried over to page B (members area page) using session variables... then on page B (members area page) I try to use a mysql query to make sure the username matches the one that is entered on page A (login page), and the id of that username is 1. If both conditions are met, it should echo the string 'Hello Mike click here for more info'

But if only one condition is met, it should'nt echo anything!

Trouble is it's not working! Can anyone help?

Displayed below is the code on page B (members area page):

<?php
@session_start();
$host="host"; // Host name
$username="user"; // Mysql username
$password="pass"; // Mysql password
$db_name="dbname"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
$con = mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Session variable containing username carried forward from previous page
$myusername = $_SESSION['myusername'];

// query to check that checks to see username entered exists in database, and matches record with id of 1
$result="SELECT username FROM members WHERE username = ". $myusername. " AND  id = ". 1 ." limit 1";
mysql_query($result, $con);

// Takes correct username, checks it against session variable stored in variable $myusername. IF condition is true, echo string of text. 
if($result = $myusername){
//display
    echo'Hello Mike click here for more info';
}
?>

Cheers,

Paul.

4
Contributors
9
Replies
35
Views
4 Years
Discussion Span
Last Post by pedal123
0

Please change your connection as this

$con = mysql_connect($host, $username, $password) or die(mysql_error());

And then tell us what error it gives to you.

But the problem is at your query.

This is your query.

$result="SELECT username FROM members WHERE username = ". $myusername. " AND id = ". 1 ." limit 1";

Change it to this, the problem is it with your username, you have to pass it like a string.

$result='SELECT username FROM members WHERE username = "'.$myusername.'" AND id = '.1.' LIMIT 1';

Edited by Szabi Zsoldos

0

Never use
$result='SELECT username FROM members WHERE username = "'.$myusername.'" AND id = '.1.' LIMIT 1';

This statement can be easily hacked using mysql injection.
For eg:- if you enter in your username as " or "1"='1

Try to use prepared statement.

0

Hi Szabizs,

Thanks for posting. I did as you said, and got the following error:

 Parse error: syntax error, unexpected '.1' (T_DNUMBER) in /homepages/32/d88101203/htdocs/ChardChainGang/wp-content/themes/twentytwelve/page-templates/login-success.php on line 77

This is the line with the query- $result='SELECT username FROM members WHERE username = "'.$myusername.'" AND id = '.1.' LIMIT 1';

Cheers,

Paul.

Edited by pedal123

0

oh, my bad :)
Try this.

$result='SELECT username FROM members WHERE username = "'.$myusername.'" AND id = 1 LIMIT 1';

As IIM said, it would be wiser to use the PDO class rather than mysql but for starters you cand use this on the username mysql_real_escape_string($myusername)

Edited by Szabi Zsoldos

0

Hi Szabizs,

Sorry about the delay in reply... Thanks for the security tips guys, I've used stripslashes() and mysql_real_escape_string() on the variables as yourself and IIM suggested.

I've now got a new error code now... not really sure why, never had this one before. The error code is:

Warning: mysql_connect(): Unknown MySQL server host 'host' (1) in /homepages/32/d88101203/htdocs/ChardChainGang/wp-content/themes/twentytwelve/page-templates/login-success.php on line 70

Cheers,

Paul.

0

Please post the line 70 from your login-success.php fie
It seems that you have a host string instead of a $host variable in your connection string.

For this you should create a dbconfig.php file that you would include in each of your files.

0

Hi Szabizs,

Okay, I see where I went wrong. I fixed the problem with the host string. But the mysql query doesnt seem to be working (i.e. it doesnt matter who I login with... it displays the string

echo'Hello Mike click here for more info';

Any thoughts as to why it would display this for any user, as opposed to just the user with an id of 1 in the table members??

Cheers,

Paul.

Edited by pedal123

0

Any thoughts as to why it would display this for any user

Yes. Because it's flawed. $result is a string to which you assign $myusername, that will always evaluate to true. I think you want to compare them, for which you need to use ==.

The next problem you will have is that that equation will always be false. You need to capture the output of mysql_query in a variable, and then use one of the fetch functions to get the actual username.

1

Hi pritaeas,

Thanks for the post. I thought about what you said and it really made sense. So I approached it in a different way using a fetch function and it worked - stoked!

<?php
@session_start();
$host="host"; // Host name
$username="user"; // Mysql username
$password="pass"; // Mysql password
$db_name="dbname"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect($host, $username, $password) or die(mysql_error());
mysql_select_db("$db_name")or die("cannot select DB");

// Session variable containing username carried forward from previous page
$myusername = $_SESSION['myusername'];

$sql = "SELECT * from members"; //Select All
$result = mysql_query($sql);
while($row = mysql_fetch_assoc($result)) { 
    if($row['id'] == 1) 
    {
         $logininfo = $row['username'];

            if($logininfo == $myusername){
                echo 'Hello Mike click here for more info';
            }
    }
}
?>

Thanks to szabizs, IIM and yourself for taking the time to help me out. I really appreciate it :o)

Cheers,

Paul.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.