IF Statements

[gnetuk]

Hi all

 

Its me again, I been trying to get this to work for ages now on my own with no joy so I gona need a lttle help

 

Ok I have a login page and I want the page to login and redirect to another page if the password matches a certern field.

 

IF $_POST[pwd] = empid

 

then goto setpass.php

 

 

Just need the code as my coding is not working

 

 

 

[ginerjm]

Perhaps if you did some research on the proper syntax you would see what's wrong with that line.

 

1 - indices of an array should have quotes around them.

 

2 - php variables begin with a dollar sign.  Constants do not.  If you are in fact using a var here, then you need to fix it.

 

3 -  while php does offer a goto statement but you should know that the use of a 'go' or 'goto' in any language for the last 20+ years has been frowned upon.  My suggestion is that you avoid using one like the plague.  Structure your code properly and you will find you have no need for this anachronism and in turn you will write better, more understandable code. 

[gnetuk]

 $md5pass = md5($_POST['pwd']);

$selectuser="SELECT empid FROM users WHERE empid='$_POST[pwd]'";
$selectuser2=mysql_query($selectuser);
$selectuser3=mysql_fetch_array($selectuser2);

if ($selectuser3[empid]=$_POST['pwd'])
	{	
	//die ("ERROR: password is empid.");
	header("Location: setpass.php?msg=ERROR: you dont have the password....");
	
    
  
}

That's was not code that was just what I wanted to do I cannot write code as im self teached php

 

here is my code

[maxxd]

Couple things I see here. First off, you're encrypting the password from $_POST, but then not using it in the SQL statement. If the password data in the database table is encoded (which it should be), you'll never get a match like that. And because you're using the encrypted password as a condition in the SQL statement, it's only going to return results that match; a simple count should suffice. Check that the count in the result set is 1 and you're good to go. Finally, as ginerjm pointed out, non-numerical array indicies should be surrounded by quotes. Last but certainly not least, move to mysqli or PDO from the deprecated and soon-to-be-removed mysql library.

 

Something like this:

$md5pass = md5($_POST['pwd']);
$qry = "SELECT COUNT(*) AS numUsers
        FROM users
        WHERE empid='{$md5pass}'";
$sql = mysql_query($qry);
$res = mysql_fetch_array($sql);
if($res['numUsers'] != 1){
    header("Location: setpass.php?msg=ERROR: you dont have the password....");
}

[gnetuk]

hi im going to try it out but its if the empid maches the password they use to login with

 

basicly the user registerd there  password is there empid then when they login with there $_post pwd wich is not in md5 format if it is the same as empd then togo to the setpass page.

 

see what I mean the md5 will always be encrypted that's  a seprrate field in my db

[maxxd]

So basically you're (not eactly, but kind of) creating a temporary password that matches the user name when a user registers, right? In that case, don't bother encrypting the _POST['pwd'] value before you do the comparison. The rest of it should work for you, though - you've got the empid already, so there's not really a need to pull that from the database before you redirect the user; this means a simple count should still work as described above with only a couple tweaks. You may want to extend this to select only records where empid == $_POST['pwd'] and your password field is empty - this could help disambiguate the record and also make certain it's a new user that has a user name but not a password. However, that's internal business logic and not my place (I just thought I'd throw it out there).

$qry = "SELECT COUNT(*) AS numUsers
        FROM users
        WHERE empid='{$_POST['pwd']}'";
$sql = mysql_query($qry);
$res = mysql_fetch_array($sql);
if($res['numUsers'] == 1){
    header("Location: setpass.php?msg=ERROR: you dont have the password....");
}

Please note the above does not even begin to deal with any database safety and I wouldn't ever recommend putting a user-submitted value directly into a query string without some sort of sanitization.

[gnetuk]

you got it bro the password is there empid but they should be promped to change it at first login, no flaws in anyones code here but I sill not getting my desired result.

[maxxd]

Weird - what's happening now? Is it not redirecting at all or is it throwing an error? Try var_dump()'ing $res as well as printing the $qry string just to make sure you've got everything you need. I'm assuming you've got error_reporting() turned on and set to report all errors, right?

[gnetuk]

		}

$pwd = ($_POST['pwd']);
$qry = "SELECT empid
        FROM users
        WHERE empid='{$pwd}'";
$sql = mysql_query($qry);
$res = mysql_fetch_array($sql);
if($res['pwd'] != 1){
    header("Location: setpass.php?msg=ERROR: you dont have the password....");
}else
// all this dose it make evey user whos empid dose not match goto the setpass.php (I only want users that match to go to promt them to change threre password)

		{

		header("Location: myaccount.php");

		}

		//echo "Logged in...";

Hi when the user enters there password in the pwd field I need the sql to check the empid in the database (this is not md5 encrypted)

 

then if the empid = the post password they enterd then it will goto the promt to change the password.

[Psycho]

You need to take your time and really understand what you are doing. Programming is an exacting science.

$qry = "SELECT empid
        FROM users
        WHERE empid='{$pwd}'";
$sql = mysql_query($qry);
$res = mysql_fetch_array($sql);
if($res['pwd'] != 1){

Look at what the query is SELECTing. Then, look at what you are comparing in the if() condition. You are checking the value of $res['pwd'] which was not included in the SELECT statement. So, that index does not exist - thus $res['pwd'] will always be NULL.

 

Further, the condition check makes no sense. Even if you did select 'pwd' wouldn't it always be something other than 1? You should be checking the count of the records returned - not the value of the record that was returned.

$query = "SELECT empid
          FROM users
          WHERE empid='{$pwd}'";
$result = mysql_query($query);

if(!mysql_num_rows($result))
{
    header("Location: setpass.php?msg=ERROR: you dont have the password....");
}
else
{
    //Password matches an employee ID

Edited March 24, 2014 by Psycho

[maxxd]

Psycho's correct - don't select the actual empid, select the count of returned records. Check the SQL in post #6 to see the difference in the SELECT line, or use mysql_num_rows() as in the post above. Either way, make sure you're comparing integer to integer, and you should optimally only get one returned row in the recordset.

[gnetuk]

////////////////////////////////////phyco copy right


		}else 

$pwd = ($_POST['pwd']);


$query = "SELECT empid

          FROM users

          WHERE empid=$pwd";

$result = mysql_query($query);


if(!mysql_num_rows($result))

{

    header("Location: setpass.php?msg=ERROR: you dont have the password....");

}else



    //Password matches an employee ID   thanks to phyco////////////////////////////////////////////




//this forum is the best, ill be honest I know very little about //php apart from asking you guys for code I do understand but its //hard for me as I can only read it  atm im still gona plod along //best I can..........






//Phyco you did it here's my bit I added that worked (and I wont //be lazy education like u gave is far better than someone just //handing it me on a plate)

[gnetuk]

couldn't paste all that that I wrote gona get me a beer.

 

this forum is ace love it!!!!!!!!!!!!!

[gnetuk]

Oh this is only working for letter atm, and not numbers.

[Psycho]

What type of field is the empid in the database? Are the letter values there?

[gnetuk]

varchar(200) latin1_general_ci  

No

 

is this it?

[gnetuk]

also i have noticed that it will only work if there employee id = 1 the number any tother number or letter makes the setpass.php load and that sould only load if there password matches the empid.

[Psycho]

varchar(200) latin1_general_ci  

No

 

is this it?

 

 

So, does the "No" above mean you don't see the employee IDs in the database as you would expect? If so, then that would definitely be why using the other employee IDs is not generating the result you want. And, why the hell would you need a 300 character field for employee IDs?

[gnetuk]

im not sure whats happening but if my password is 1 thats the only time it will not ask to change the pass.

Edited March 25, 2014 by gnetuk

[gnetuk]

////////////////////////////////////phyco copy right

		} else 
$pwd = ($_POST['pwd']);

$query = "SELECT empid
          FROM users
          WHERE $pwd='empid'";
$result = mysql_query($query);

if ($pwd=$result)
{
    header("Location: setpass.php?msg=ERROR: you dont have the password....");
}else 

sorry to spam this is working now as long as the first charickor in the  empid field has one letter it will work is it my sql table that's causing the problem?

[Ch0cu3r]

That code makes not sense at all. Why have you changed from phyco's original code posted here?

[maxxd]

You've got a couple things wrong here, I think. Try this:

$pwd = ($_POST['pwd']);

$query = "SELECT empid
          FROM users
          WHERE empid='{$pwd}'";
$sql = mysql_query($query);
$result = mysql_fetch_assoc($sql);

if ($pwd == $result['empid'])
{
    header("Location: setpass.php?msg=ERROR: you dont have the password....");
}

First off, the SQL was a bit malformed - on line 5 it looks like you're using the value in $pwd as the column header, and the value has to by 'empid'. You're also not actually getting the result set from the query process. By calling mysql_fetch_assoc(), you're putting the result set into an associative array (line 7). You were also using the assignment operator (=) in your comparator on line 9. Use the comparison operator (==).