[SOLVED] help comparing strings

[sudsy1970]

hi,

 

am having some trouble when comparing email addresses.  i have my code all worked out and is working as long as i used a username or surname, however i am wanting to put in an email address.

 

I have echoed the email addy stored in the database and then copied that into my form exactly and yet when i compare the too, the result tells me there are no valid accounts. I know that too be untrue.

 

Am i missing something simple or is all this just mad?

 

mysql_select_db("db0274148",$dbServer);
            $sql = "SELECT * FROM users WHERE username=\"". $_POST["myEmail"]."\"";
       	   $queryResult=mysql_query($sql);
       	   
       	
       	     
      // If = $queryResult equals nothing then there are no users listed with that username
      // Else send an email to the registered email address held in the database with the correct password
      
      if (mysql_num_rows($queryResult)==0)
       {
       	echo"Sorry there are no accounts with that username<br>";
       	echo ("<br><a href=\"forgotuser.html\">Enter Username again ?</a><br>");
       	echo ("<br><a href=\"homepage.php\">Return to the Homepage</a>");
       }

[revraz]

See if this works better

 

$sql = "SELECT * FROM users WHERE username= '{$_POST['myEmail']}'";

 

If not, echo $sql and see what it shows.

 

[trq]

Firstly. Never used un-sanitised data within your queries.

 

Does your username field contain email addresses? Are you trimming the submitted data before trying to make the comparison? eg;

 

$email = mysql_real_escape_string(trim($_POST['myEmail']));
$sql = "SELECT * FROM users WHERE username='$email'";

[sudsy1970]

Ahhhh

 

thanks for that, of course i needed to change the field and no i had not trimmed !

 

erm while i am on a thought just occurred to me.  If a new member registers and has an irish name like o'rouke would mysql throw it's teddys out the cot ?

[DeanWhitehouse]

Use htmlentities(); first

[trq]

Use htmlentities(); first

 

No. Data needs to be escaped, not modified. Use mysql_real_escape_string.

[flyhoney]

Ahhhh

 

thanks for that, of course i needed to change the field and no i had not trimmed !

 

erm while i am on a thought just occurred to me.  If a new member registers and has an irish name like o'rouke would mysql throw it's teddys out the cot ?

 

As long as you always use mysql_real_escape_string to escape strings in your queries you should have no problems.

[sudsy1970]

cool thanks guys your the best

[DeanWhitehouse]

@thorpe, I said first not instead.

[trq]

@thorpe, I said first not instead.

 

Still, why modify the data?

[DeanWhitehouse]

To make it safe to print on screen (if he does later , saves him doing so) and to stop it from affecting the query (although i think mysql_real_escape_string(); might stop that.

[trq]

To make it safe to print on screen (if he does later , saves him doing so) and to stop it from affecting the query (although i think mysql_real_escape_string(); might stop that.

 

Data should be stored in its raw format IMO. If you need to format it for the web, do so when displaying it for the web, not before storing it.

[flyhoney]

Unless you are 100% sure you don't want HTML in the string. Its often smart to use strip_tags to avoid XSS and the like.

[DeanWhitehouse]

@thorpe, that is just a matter of opinion.

[trq]

@thorpe, that is just a matter of opinion.

 

You think so? What if your client (lets pretend) turns around and decides that they want to use the same user database for an in house desktop application that your using for your web application (it does happen)? Doing it your way meens your original data is currupted / difficult to use.

[DeanWhitehouse]

Hmm, i suppose lucky it hasn't happened to me yet and that i don't modify it before i put it in (much)