PHP if statement not registering, or something.

[Cultureshock]

I created a very small log in script. As you can see, the post information is identified as $user and $pass. When echoed they both appear as the information submited through the form on index.php. Next is database stuff. When $obtainnumber is echoed, it is echoed as "1."

However the if statement (if($obtainnumber==1)...) does not work and I'm always sent to the else statement!?

Can someone see any problems in the code that would make the echo work but not the if statement? I've made similar codes (executing certain codes if the mysql_num_rows is a certain number, such as 1 or 0.) in the past that have worked.

Thanks in advance.

 

 

<?php
$user=$_POST['username'];
$pass=$_POST['password'];

mysql_connect("localhost", "example", "example") or die(mysql_error());
mysql_select_db("example") or die(mysql_error());

$obtainlogin=mysql_query("SELECT * FROM networks WHERE username='$user' && password='$pass'");
$obtainnumber=mysql_num_rows($obtainlogin);

if($obtainnumber==1){
$obtained=mysql_fetch_array($obtainlogin);
$_SESSION['id']=$obtained['id'];
$_SESSION['username']=$obtained['username'];
header('location:/index.php?success=login');
}else{
header('location:/index.php?problem=login');
};

?>

 

 

[waynewex]

Firstly, you're not cleaning those incoming POST variables with mysql_real_escape_string().

 

Secondly, have you thought about hashing your passwords so that they don't get stored as plaintext (md5, sha1 etc)?

 

Thirdly, have you made sure that two accounts can't have the same login combination? That can be done by not allowing email addresses that are already registered or by requiring the user to verify his/her email address before loggin in. Two or more accounts having the same login on your system would cause all of those accounts to get "locked out".

 

Fourthly, you should be checking for errors in your queries by doing this:

 

$obtainlogin=mysql_query("SELECT * FROM networks WHERE username='$user' && password='$pass'") or trigger_error(mysql_error());

 

[MatthewJ]

I'll gloss over all of the hand holding because I figure you will secure the script when the time comes to put it in production. But I think waynewex may be on to something... The code looks like it should work, so I would suggest you're either getting no rows in the match, or more than 1 row.

 

If statements generally don't tend to "not work"

[Cultureshock]

@waynewex

I said it was a small script? As in I haven't added all that yet? And all emails, usernames, and ids are unique, but thanks anyways.

 

If you have pertinent comments (such as an answer to the problem that I posted) feel free to contribute them I'd love the help!

 

And the query is fine, as it's being echoed as 1, meaning it found the connections.

 

@MatthewJ

Thanks. haha But no, there's not more then one because there's only two fake "accounts" right now, lol. And like I said when it's echoed the mysql_num_rows comes out as 1, not 2 or 0 or 5 or 1000.

[PFMaBiSmAd]

There's nothing logically wrong with the code. It is more likely that index.php contains an error that is causing you to think that the login code took an incorrect execution path.

 

Have you commented out the two header() redirects and put in echo statement of something so that you know for a fact which execution path the code is taking and it would take seeing your index.php in order to determine if it is responsible for the symptom.

 

You also don't have a session_start() statement in the posted code, so if the overall symptom is your log in form being redisplayed, then it is likely due to the $_SESSION variables not existing outside of the posted code.

[Cultureshock]

@ PFMaBiSmAd

Aaah! THAT'S WHY

I knew I'd done something stupid. I forgot session_start(). I fail at life.

Thanks so much!

 

(Though I feel stupid now... lol)