I am using PHP and have session_start(); and $_SESSION['username'] at the top of the page. The user is logged in just fine.
The problem is, I am trying to pull and display data from just the user that is logged on. Below is my current query and it is pulling from the first user in the table, not $_SESSION['username'] user. How do I adjust SELECT to specify to pull from the current logged on user? Thanks.
$result = mysql_query("SELECT * FROM members")
or die(mysql_error());
$row = mysql_fetch_array( $result );
echo "<strong>bio:</strong> ".$row['bio'].'<br />';
mysql_query('SELECT * FROM members WHERE username = "'
. mysql_real_escape_string($_SESSION['username']) . '"')
or trigger_error(mysql_error());
You should read up on SQL and while you're at it, learn about SQL injections.
You need to use the WHERE clause. It should be explained in the first chapter of any SQL manual:
SELECT foo, bar
FROM members
WHERE members_id=31416
You should look into the SQL WHERE clause.
you need to supply a WHERE clause to your query specifying which data you wish to retrieve. Xeon06 is right, this is SQL 101.
Related
The question is, I have an ID, username and a password for each user.
What is the syntax to get the ID based on a specific username and password.
I have this code but it doesn't seem to work :S
$dbusername=$row['user']; //php
$dbpassword=$row['password']; //php
$userID = mysql_query("SELECT [$dbusername], [$dbpassword]' FROM users WHERE ID = $_GET[id]");
mysql_query("UPDATE users SET lastactivity = ".time()." WHERE ID = ".$userID);
mysql_query with a SELECT statement returns a resource type, not the value you expect to have it. You need to use more commands there. Please check the documentation. It has several examples.
NEVER use mysql_* functions, always use PDO or mysqli.
Example: http://br2.php.net/manual/en/pdostatement.fetch.php
mysql_query doesn't return columns from the database. It returns a query object. You must then fetch rows from the database based on the query object. Please read the mysql documentation carefully. Better still, stop using mysql and use mysqli instead. http://php.net/manual/en/book.mysqli.php
Here's the problem i'm having.
I've created a login page where the user enter his name and pass to enter. The database has already been created and i store the entered login info in session variable.
On clicking submit, i redirect the user to the page where php accesses the mysql database and searches the database for the user name and pass combination using session variables.
And there is the problem. The session variables cannot access the database table entries.
here is my code :
<?php
//starting the session
session_start();
//connecting to database and table "testdb"
#mysql_connect("localhost","root","") or die("no connect");
#mysql_select_db("testdb") or die ("no select");
//the session variables holding the username and password
//trying to access the entries in table named "table"
$sql="SELECT * FROM `table` WHERE name='.$_SESSION['uname'].' AND
pass='.$_SESSION['pass'].'";
$query=mysql_query($sql);
//printing the result which is just one entry
while($result=mysql_fetch_array($query))
{
echo $result['name'].' ';
echo $result['pass'];
}
?>
i don't know what the error is or if i'm using the syntax wrong.
i've not written comments on the actual code...this is just an identical example :D
I'm not looking for alternates cause i'm in the learning stages as of now. So any fix to this code will be greatly appreciated.
PS: I don't know java script.
Your string syntax is incorrect and this will actually generate a parse error
$sql = "SELECT * FROM `table` WHERE name='" .$_SESSION['uname']. "' AND
pass = '" .$_SESSION['pass'] ."'";
You need to actually close the string before using $_SESSION['key'], or leave off the quotes so it will be interpolated.
This code is also highly vulnerable to injection. You should use parameterized queries with PDO.
$stmt = $pdo->prepare("SELECT * FROM `table` WHERE name = ? AND pass = ?");
$stmt->execute(array($_SESSION['uname'], $_SESSION['pass']));
Your query has syntax errors. You either need to put double quotes around your sessions values or use curly brackets instead. Try -
$sql="SELECT * FROM `table` WHERE name='".$_SESSION['uname']."' AND
pass='".$_SESSION['pass']."'";
or
$sql="SELECT * FROM `table` WHERE name='{$_SESSION['uname']}' AND
pass='{$_SESSION['pass']}'";
Most obvious is that this is totally vulnerable to SQL Injection attacks. But ignoring that ...
$sql="SELECT * FROM `table` WHERE name='.$_SESSION['uname'].' AND pass='.$_SESSION['pass'].'";
... should be ...
$sql="SELECT * FROM `table` WHERE name='".$_SESSION['uname']."' AND pass='".$_SESSION['pass']."'";
I am using the stored $_SESSION username (stored in the $username variable) to obtain the user's id using the following query in PHP:
$query = mysql_query("SELECT id FROM users WHERE username = '".$username."'");
I then process the query result as follows:
$userid = mysql_fetch_row($query);
Because I am logged in as a demo user, the user id that this query should return is: 12. However, when I echo $userid['id'] I get this output:
1111
Is this not a proper way of processing the data from the query? Should I be using mysql_fetch_row() if I am only expecting a single result?
I have also tried running the query in PHPMyAdmin and it returns the expected result just fine.
fetch the results using:
$query="SELECT id FROM users WHERE username ='$username'";
$res=mysql_query($query);
while($row=mysql_fetch_row($res))
{
$id=$row[0]; //change to the column number you are using to store id
}
try this
while($userid = mysql_fetch_array($query))
{
echo $userid['id'].'<br />';
}
Your query is vulnerable to SQL injection attacks and you are using deprecated libraries which will be removed from future versions of PHP.
I recommend moving to mysqli (documentation), which will help to protect you from injection attacks with its prepared statements (documentation).
Your query appears correct. If you run SELECT id FROM users WHERE username = 'demo' in PHPMyAdmin or SQL command line, what do you get? Is username a UNIQUE field or do you have two accounts called demo?
Why does this PHP code (mysql_query to delete a row where user name is $phpVar) do nothing?
mysql_query("DELETE FROM xraydeath WHERE user = $user");
Probably because you forgot to quote the $user parameter also, please escape variables goes into sql query strings. If that parameter is connected directly to user input someone might submit ' or 1=1 -- and your whole table gone. This idea know as sql injection.
note: the old mysql_* functions are now deprecated, you should avoid using them, see the alternatives.
You need to put quotes around strings like this:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
you forgot the quotes around the user:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
What are you expecting? How it fails? Mysql_query is not suppose to do anything in the form that you are using it, except sending the query to the server.
$result = mysql_query (...);
// use the result if any.
if (!$result) {
die('Invalid query: ' . mysql_error());
}
// check the error that you might have
you need to put $user into quotes
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
also DELETE will succeed if even no rows where deleted, so to get how many rows where actually deleted use mysql_affected_rows()
$x = mysql_query("..");
echo "There were ".mysql_affected_rows()." rows affected";
**Try not to use mysql_* switch to PDO instead.
Assuming xraydeath.user is a character type, the value needs to be enclosed in quotes. If $user does not already contain the quotes, try:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
And for kicks, try setting $user = "' OR '1'='1";! (Read up on SQL injection attacks and you should really switch to mysqli!)
It's also possible the table does not have a matching row, and therefore nothing will be deleted. Without knowing what you have assigned to $user and your data there is no way to know.
try this one:
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."'");
or
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
every php variables that used in mysql, put them into '".$variable."'
First : mysql is deprecated. you should use mysqli.
Second : What kind of type is user?
if is int :
(object oriented style)
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` = '".$user."'");
if is varchar (string) :
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` LIKE '".$user."'");
or
(procedurel syle)
mysqli_query((your mysqli link), "DELETE (what you want) FROM xraydeath WHERE `user` LIKE/= '".$user."'");
Hope it helps
Im a php/mySQL newbie and am trying to get the hang of it. I have code to detect whether i get a username/password match, and now im trying to get the userid field so i can update the record. Heres what I have so far:
$sql = "SELECT username FROM users WHERE username='$username' AND password='$password'";
$result = $link->query($sql) or die(mysqli_error());
Using print_r($result) shows that there is an item, but im lost from here on out.
Try this.
$sql = "SELECT username FROM users WHERE username='$username' AND password='$password'";
$result = $link->query($sql) or die(mysqli_error());
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {
$userID= $row['username'] ;
// If you need other field as userID just change the sql and the index of $row according to that.
}
EDIT
If you want to get only one row.
if($result->num_rows==1)
{
$row = $result->fetch_array(MYSQLI_ASSOC);
$userID = $row["username"];
}
Perhaps this will help. In any programming language, running an SQL query is going to consist of these steps:
Build the text of the SQL statement that you want to run.
(Optional) If your statement involves the use of parameters (or "placeholders"), prepare an array of the parameter-values that are to be substituted for each of them.
("Prepare" and...) "Run" the query, on some previously-opened "database connection." (In your example, "$link" must correspond to that connection.) This gives you a handle (you called it "$result") that corresponds to the zero-or-more rows that were returned by that query.
Now, use that handle to retrieve each of these rows, one at a time, until there are no more or until you're tired of doing it.
(Optional) Be neat and tidy and "close" the handle, thus indicating to the database system that it can discard all of the resources it was using to furnish those rows to you.
"Those, in simple terms, are the basic steps that every program in the known universe are going to go through," and if you now browse again through the PHP documentation, you'll see that there are functions that correspond to each of these steps. Browse through the chapters you've been reading and see if you can now match the up to the scenario I just described. HTH...