Please help me understand what I am doing wrong again.

[sonnieboy]

Greetings again experts.

 

When users log in, they are directed to a particular page based on whether or not they have already registered before.

 

If the user is registered, s/he is redirected to a particular page indicating s/he is already registered with some information about the benefits of being a member.

 

If that user has not yet registered, s/he is redirected to registration form.

 

This is not working particularly well.

 

Example: here is the code that does the redirecting. By the way, I am using custom code for ms_escape_string()

   $strSQL = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join EmployeeData e on u.Employee_Id = e.EmpNum inner join tblTBA t on u.Employee_Id = t.Employee_Id WHERE USERNAME = '".ms_escape_string($_POST['user'])."'
	and PASSWORD = '".ms_escape_string($pass)."' ";
//	echo $strSQL;
	$sqll = sqlsrv_query($con, $strSQL);


if ($objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC)) {
    $firstname = $objResult["empl_first"];
 	$_SESSION["firstname"] = $objResult["empl_first"];

header('location:registered.php?user=' . urlencode($firstname)); } else header("location:register.php?user='".ms_escape_string($_POST['user'])."'&pass='".ms_escape_string($_POST['pass'])."' ");

The problem I am having is with grabbing the values passed to register.php.

$strSQL = "SELECT u.empl_first, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join EmployeeData e on u.Employee_Id = e.EmpNum WHERE USERNAME = ? and PASSWORD = ? "; 
//echo $strSQL; 
$params = array($_GET["user"], $_GET["pass"] 
$sqll = sqlsrv_query($con, $strSQL, $params); 

When I use this code:

 

It works because my form gets populated with the records queried from the database but I know that code has sql injection attack written all over it.

 

However, when I use the following code,  my form is not getting populated. What could I be doing wrong?

 

 

 

Thanks a lot in advance for yoru help

Edited September 15, 2016 by sonnieboy

[mac_gyver]

If that user has not yet registered, s/he is redirected to registration form.

 

 

if someone tries to log in and the entered username/password combination doesn't match, that doesn't mean they haven't registered. what if they miss-typed the value for either field? you would output a generic 'The username/password didn't match' message for this case and let them try to log in again.

 

if the current visitor is not logged in, you would provide a link to the registration page, near the login form, for them to click on if they desire to register.

 

If the user is registered, s/he is redirected to a particular page indicating s/he is already registered with some information about the benefits of being a member.

 

 

you would this when they register, not when they log in.