I am writing section in my program to update a user, and there is password and confirm passwords. I dont want to do anything to the password field in the DB unless they have filled the fields in.
So I have error checking for:
if(($sql['password']!="") && ($sql['cpassword']!=""))
{
if($sql['password'] == $sql['cpassword'])
{
//update
}
}
However I want to write a quick line to throw an error message if they only filled out one of the password fields. So I figured:
if($sql['password'] ^ $sql['cpassword'])
{
echo You must fill out <i>both</i> password fields and they <i>must</i> match.";
}
Would do it, but It doesnt seem to. Then I added a NOT operator, !, and that seemed to work well, however if both fields have nothing in them, I still get the error message :(
From the logic I can see from this answer, It would seem that simple XOR would work. But
But it doesnt, Can someone explain to me why?
XOR certainly is not what you want here.
As David states, XOR will return a "true" result if the values are different, however when you XOR two strings the XOR operation is only done up to the point of the shortest string.
Examples
'AAAA' ^ 'AAAA' This returns an empty string (false-equivalent value) as the values are the same.
'AAAA' ^ 'bbbb' This returns an non-empty string (true-equivalent value)..
'AAAA' ^ 'AAAAbbbb' This returns an empty string (false-equivalent value), even though the strings are different. This is because the result of the operation only considers the first 4 characters.
In Sandy Lee's example (bool)$string does not really help.
(bool)'0' = false
(bool)'1' = true
This does not tell you if the string is empty or not. It simply gives you the boolean-equivalent value of the string.
There is no need to use XOR here at all. It's not the right tool for the job. There is no need to try and do anything fancy either, the simple tools work perfectly.
$password = trim($password);
$confirm = trim($confirm);
if (!$password || !$confirm) {
// One of the fields was not completed.
}
elseif ($password !== $confirm) {
// Fields did not match
}
else {
// Update password
}
Related
I am getting an array, and I filter it to get just the text, in the text I am looking for something like "20/" Making sure the 20/ exist then if it does, it will go to another part of the code BUT I can't seem to figure out how to get it recognized if its a 1-9/ to 20/.
if ($spot = strpos($dir[$x]->output, '9/')) {
echo "Valid";
}
else {
gotto2();
}
So, it doesn't ever find it, but if I remove the number, it'll find the "/".
your if condition is all wrong.
try this,
if (false !== strpos($dir[$x]->output, '9/')) {
echo "Valid";
}
your doing assignment to $spot ( single = ) even a double == is not suffencient to check because if the position is 0, you need to check for Boolean false strictly ( or in this case true, but we dont care about the position so valid is 0 to any pos ) and we cant look for boolen true , so we check for anything but boolean false
if this doen't work you will have to post the input string as well.
Halo, I got a If statement here but is not working.
The system just pass me to the last page which I set it.
And that is not what I want.
What I want here is when the user login, the system automatic check the user belong to which department and send them to the correct page.
$departmentsql="SELECT department FROM staff_table";
$departmentsqlresult=mysql_query($departmentsql);
$departmentcount=mysql_num_rows($departmentsqlresult);
if($departmentcount == "A"){
header("location:departmentA.php");
}
else if($departmentcount == "B"){
header("location:departmentB.php");
}
else if ($departmentcount == "C"){
header("location:departmentC.php")
}
The system just send me to the departmentC.php every time, no matter which user I login.
And that is not what I want.
Can anyone tell me whats wrong with my code?
Appreciate for your answer. Thanks
You have 2 errors :
if($departmentcount == "A"){
header("location:departmentA.php");
}
>> $departmentcount will contain a numric value
PHP doesn't implictyly typecast, so when you compare 2 values, it treats both of them of same type.
On comparison, since you are comparing $departmentcount with a char, it'll expect $departmentcount to contain char value too, which is not the case...so condition becomes false for all of your if and elseif, hence no output
Compare it like
if($departmentcount == 10) //compare with number
>> when you'll compare successfully, header wont redirect, because your syntax for header is also incorrect
Correct it this way :
header("Location: departmentA.php");
/* you need a ^^ space here */
First you do not seem to be taking the logged in user and doing a lookup that way, it seems currently you would return all departments regardless of the user who has logged in.
Next mysql_num_rows returns the number of rows returned in that query you would need mysql_fetch_row, mysql_fetch_object etc
You did mistake use mysql_fetch_array
$departmentsql="SELECT department FROM staff_table";
$departmentsqlresult=mysql_query($departmentsql);
$departmentcount=mysql_fetch_array($departmentsqlresult);
if($departmentcount[0] == "A"){
header("location:departmentA.php");
}
else if($departmentcount[0] == "B"){
header("location:departmentB.php");
}
else if ($departmentcount[0] == "C"){
header("location:departmentC.php")
}
First you have to check what's the basic difference between mysql_num_rows and mysql_fetch_array . As suggested by other it will works fine.
If still you facing issue then to use "===". comparing values in php.
I am sure that I am simply overlooking something, and I spent a few days working on this and cant seem to figure it out.
after logging in on the previous page I get the username and password,
$username = mysql_escape_string($_POST['adminusername']);
$password = mysql_escape_string($_POST['adminpassword']);
and then I go to the database to pull the username and password from the database,
$sql = "SELECT username, password FROM `weaponsadmin`";
$rows = $db->query($sql); while ($record = $db->fetch_array($rows)) {
now here is the part that is confusing me, if i have the following, no matter what I use for the username or password, it will NOT allow for me to login,
if ( ($record[username]==$username) && ($record[password]==$adminpassword) ){
$_SESSION['loggedin'] = true;
$_SESSION['username'] = $adminusername;
header( "Location: admin.php" ) ;
}
else {
header( "Location: index.php?login=error" ) ;
}
however if I use the following, it will allow me to login in if the username is correct, but it allows for me to input anything for password and it works,
$adminusername = $record[username];
$adminpassword = $record[password];
if ( ($adminusername==$username) && ($adminpassword==$adminpassword) ) {
$_SESSION['loggedin'] = true;
$_SESSION['username'] = $adminusername;
header( "Location: admin.php" ) ;
}
else {
header( "Location: index.php?login=error" ) ;
}
So in summary for some reason the && part doesn't seem to work correctly and if somebody could help me with the code and let me know where my code could be improved for better security and how to make this work correctly, thanks
what is the point here $adminpassword==$adminpassword :
i think it should be:
if ( ($adminusername==$username) && ($adminpassword==$password) ){
$record[username] should be $record["username"] (and so on). indexes are strings or int
You're using arrays wrong.
You expect: $record[username]; //retrieve contains of key "username"
What really happens:
$record[username];
/*
retrieves a key in the record array under the key which is a value of a
constant named "username" (if it's defined) and an empty string with
E_WARNING if it's not.
*/
You need to either single or double quote the index names, for example $records['username'].
However, you can use unquoted array indexes inside of a string (and these will work as you expect) -> $someString = "Blahblahblah, ergo $record[username] is a donkey.";.
You can use === instead of ==. Read this.
strcmp() isn't necesarry here.
To add to Michael's answer, the reason why you should not use == for string comparison (hopefully this will help you navigate similar difficulties in the future) is that when you call a simple == on an object (such as a string, or really anything other than an int, double, float, char, long, short, or boolean, in most languages), what you're really comparing is the address in memory of each object, that is, the pointer value.
This is useful if you want to know if two variables are referencing the same object, but not so useful if you want to know if two objects are identical. So this is true:
$string_a = $some_string;
$string_b = $some_string;
$string_a == $string_b;
but this is not:
$string_a = getUserInput(); # user types in "hello"
$string_b = getUserInput(); # user types in "hello"
$string_a == $string_b;
and this may be true depending on the language you're in, if it stores string literals in memory independently of the user-defined variables to which they are attached:
$string_a = "hello";
$string_b = "hello";
$string_a = $string_b;
So unless you're checking to see if two objects are in fact the same object, and not merely identical, use, as those before me suggested, a function to compare the two. Such a function usually goes down to the level of primitive types, which can be compared using == as you would expect, and returns true if all of those comparisons do.
Don't use == for string comparison. Instead, use strcmp() or === to match strings.
I am trying to compare two strings I get from a password form in HTML.
They are being stored in variables from $_POST. I print them out and they look the same, but the code below will never evaluate to true, only false. Why does that happen?
//Verify the passwords match
if( ($passwd != $pass_confirm) && ($new_email != $email_confirm) ){
echo "Email and/or password do not match";
return FALSE;
}
I appreciate any help.
For your code to show the error message, both the email and password must be wrong.
Try using || instead of &&, so the error is shown when just one of them is wrong.
If you print them out and they look the same, you might have a trailing newline character problem. Perhaps you could try trimming the strings before comparison? Doing a var_dump might help to pinpoint the problem because it shows the length of the string.
Also, I would suggest the following check (note the || and strict comparison operators):
if ($passwd !== $pass_confirm || $new_email !== $email_confirm) {
echo "Email and/or password do not match";
return false;
}
$alerter2="false";
for ( $counter = 0; $counter <= count($filter); $counter++) {
$questionsubmitted=strtolower($_POST[question]);
$currentcheck =$filter[$counter];
$foundvalue=stripos((string)$questionsubmitted,(string)$currentcheck);
echo $foundvalue;
if ($foundvalue==0) {
$alerter2="true";
} else { }
}
if (!($alerter2=="true")) {
$sql="INSERT INTO Persons (Name, Email, Question)
VALUES
('$_POST[name]','$_POST[email]','$_POST[question]')";
} else {
echo "Please only post appropriate questions";
}
For some reason, whenever I run this, stripos returns 0 every time for every iteration. It's supposed to be a filter, and using echo I found that stripos is 0 every time that it appears. However, when I use 0 in the if, it returns true for even those that don't have the word in them.
Where should I use mysql_real_escape_string? After the query? Note, I am making this a piece of code where I want user input to be saved to a database.
stripos return false if the value is not found, or 0 if it is the first character. Problem is, php automatically cast boolean to the 0 integer or the 0 integer to false. So I think a cast is happening here and thus the condition don't do what you want.
You can use === to also check the type of the variable :
if ($foundvalue === 0) {
$alerter2="true";
}
There's more details about this problem in the linked documentation for stripos.
You should also remove the empty else clause for a cleaner code and use mysql_real_escape_string to sanitize the values before putting them in your database.
You need to change
if ($foundvalue==0)
to
if ($foundvalue===0) // three equals signs
or something equivalent, depending on your logic (I didn't quite understand what's going on).
But as everyone says, THIS CODE IS OPEN TO SQL INJECTION ATTACKS (among other problems).
Also,
$questionsubmitted=strtolower($_POST[question]);
should probably be:
$questionsubmitted=strtolower($_POST['question']);